2 Unix SMB/CIFS implementation.
4 Extract the user/system database from a remote SamSync server
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
7 Copyright (C) Guenther Deschner <gd@samba.org> 2008
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "libnet/libnet_samsync.h"
26 #include "../lib/crypto/crypto.h"
27 #include "../libcli/samsync/samsync.h"
28 #include "../libcli/auth/libcli_auth.h"
29 #include "../librpc/gen_ndr/ndr_netlogon.h"
30 #include "../librpc/gen_ndr/cli_netlogon.h"
31 #include "../libcli/security/dom_sid.h"
34 * Fix up the delta, dealing with encryption issues so that the final
35 * callback need only do the printing or application logic
38 static NTSTATUS samsync_fix_delta_array(TALLOC_CTX *mem_ctx,
39 struct netlogon_creds_CredentialState *creds,
40 enum netr_SamDatabaseID database_id,
41 struct netr_DELTA_ENUM_ARRAY *r)
46 for (i = 0; i < r->num_deltas; i++) {
48 status = samsync_fix_delta(mem_ctx,
52 if (!NT_STATUS_IS_OK(status)) {
61 * libnet_samsync_init_context
64 NTSTATUS libnet_samsync_init_context(TALLOC_CTX *mem_ctx,
65 const struct dom_sid *domain_sid,
66 struct samsync_context **ctx_p)
68 struct samsync_context *ctx;
72 ctx = TALLOC_ZERO_P(mem_ctx, struct samsync_context);
73 NT_STATUS_HAVE_NO_MEMORY(ctx);
76 ctx->domain_sid = dom_sid_dup(mem_ctx, domain_sid);
77 NT_STATUS_HAVE_NO_MEMORY(ctx->domain_sid);
79 ctx->domain_sid_str = sid_string_talloc(mem_ctx, ctx->domain_sid);
80 NT_STATUS_HAVE_NO_MEMORY(ctx->domain_sid_str);
89 * samsync_database_str
92 static const char *samsync_database_str(enum netr_SamDatabaseID database_id)
95 switch (database_id) {
96 case SAM_DATABASE_DOMAIN:
98 case SAM_DATABASE_BUILTIN:
100 case SAM_DATABASE_PRIVS:
111 static const char *samsync_debug_str(TALLOC_CTX *mem_ctx,
112 enum net_samsync_mode mode,
113 enum netr_SamDatabaseID database_id)
115 const char *action = NULL;
118 case NET_SAMSYNC_MODE_DUMP:
119 action = "Dumping (to stdout)";
121 case NET_SAMSYNC_MODE_FETCH_PASSDB:
122 action = "Fetching (to passdb)";
124 case NET_SAMSYNC_MODE_FETCH_LDIF:
125 action = "Fetching (to ldif)";
127 case NET_SAMSYNC_MODE_FETCH_KEYTAB:
128 action = "Fetching (to keytab)";
135 return talloc_asprintf(mem_ctx, "%s %s database",
136 action, samsync_database_str(database_id));
143 static void libnet_init_netr_ChangeLogEntry(struct samsync_object *o,
144 struct netr_ChangeLogEntry *e)
148 e->db_index = o->database_id;
149 e->delta_type = o->object_type;
151 switch (e->delta_type) {
152 case NETR_DELTA_DOMAIN:
153 case NETR_DELTA_DELETE_GROUP:
154 case NETR_DELTA_RENAME_GROUP:
155 case NETR_DELTA_DELETE_USER:
156 case NETR_DELTA_RENAME_USER:
157 case NETR_DELTA_DELETE_ALIAS:
158 case NETR_DELTA_RENAME_ALIAS:
159 case NETR_DELTA_DELETE_TRUST:
160 case NETR_DELTA_DELETE_ACCOUNT:
161 case NETR_DELTA_DELETE_SECRET:
162 case NETR_DELTA_DELETE_GROUP2:
163 case NETR_DELTA_DELETE_USER2:
164 case NETR_DELTA_MODIFY_COUNT:
166 case NETR_DELTA_USER:
167 case NETR_DELTA_GROUP:
168 case NETR_DELTA_GROUP_MEMBER:
169 case NETR_DELTA_ALIAS:
170 case NETR_DELTA_ALIAS_MEMBER:
171 e->object_rid = o->object_identifier.rid;
173 case NETR_DELTA_SECRET:
174 e->object.object_name = o->object_identifier.name;
175 e->flags = NETR_CHANGELOG_NAME_INCLUDED;
177 case NETR_DELTA_TRUSTED_DOMAIN:
178 case NETR_DELTA_ACCOUNT:
179 case NETR_DELTA_POLICY:
180 e->object.object_sid = o->object_identifier.sid;
181 e->flags = NETR_CHANGELOG_SID_INCLUDED;
189 * libnet_samsync_delta
192 static NTSTATUS libnet_samsync_delta(TALLOC_CTX *mem_ctx,
193 enum netr_SamDatabaseID database_id,
194 uint64_t *sequence_num,
195 struct samsync_context *ctx,
196 struct netr_ChangeLogEntry *e)
199 NTSTATUS callback_status;
200 const char *logon_server = ctx->cli->desthost;
201 const char *computername = global_myname();
202 struct netr_Authenticator credential;
203 struct netr_Authenticator return_authenticator;
204 uint16_t restart_state = 0;
205 uint32_t sync_context = 0;
207 ZERO_STRUCT(return_authenticator);
210 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
212 netlogon_creds_client_authenticator(ctx->cli->dc, &credential);
214 if (ctx->single_object_replication &&
215 !ctx->force_full_replication) {
216 result = rpccli_netr_DatabaseRedo(ctx->cli, mem_ctx,
220 &return_authenticator,
224 } else if (!ctx->force_full_replication &&
225 sequence_num && (*sequence_num > 0)) {
226 result = rpccli_netr_DatabaseDeltas(ctx->cli, mem_ctx,
230 &return_authenticator,
236 result = rpccli_netr_DatabaseSync2(ctx->cli, mem_ctx,
240 &return_authenticator,
248 if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED)) {
252 /* Check returned credentials. */
253 if (!netlogon_creds_client_check(ctx->cli->dc,
254 &return_authenticator.cred)) {
255 DEBUG(0,("credentials chain check failed\n"));
256 return NT_STATUS_ACCESS_DENIED;
259 if (NT_STATUS_IS_ERR(result)) {
263 samsync_fix_delta_array(mem_ctx,
268 /* Process results */
269 callback_status = ctx->ops->process_objects(mem_ctx, database_id,
273 if (!NT_STATUS_IS_OK(callback_status)) {
274 result = callback_status;
278 TALLOC_FREE(delta_enum_array);
280 } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
291 NTSTATUS libnet_samsync(enum netr_SamDatabaseID database_id,
292 struct samsync_context *ctx)
294 NTSTATUS status = NT_STATUS_OK;
295 NTSTATUS callback_status;
297 const char *debug_str;
298 uint64_t sequence_num = 0;
301 if (!(mem_ctx = talloc_new(ctx))) {
302 return NT_STATUS_NO_MEMORY;
306 return NT_STATUS_INVALID_PARAMETER;
309 if (ctx->ops->startup) {
310 status = ctx->ops->startup(mem_ctx, ctx,
311 database_id, &sequence_num);
312 if (!NT_STATUS_IS_OK(status)) {
317 debug_str = samsync_debug_str(mem_ctx, ctx->mode, database_id);
319 d_fprintf(stderr, "%s\n", debug_str);
322 if (!ctx->single_object_replication) {
323 status = libnet_samsync_delta(mem_ctx, database_id,
324 &sequence_num, ctx, NULL);
328 for (i=0; i<ctx->num_objects; i++) {
330 struct netr_ChangeLogEntry e;
332 if (ctx->objects[i].database_id != database_id) {
336 libnet_init_netr_ChangeLogEntry(&ctx->objects[i], &e);
338 status = libnet_samsync_delta(mem_ctx, database_id,
339 &sequence_num, ctx, &e);
340 if (!NT_STATUS_IS_OK(status)) {
347 if (NT_STATUS_IS_OK(status) && ctx->ops->finish) {
348 callback_status = ctx->ops->finish(mem_ctx, ctx,
349 database_id, sequence_num);
350 if (!NT_STATUS_IS_OK(callback_status)) {
351 status = callback_status;
355 if (NT_STATUS_IS_ERR(status) && !ctx->error_message) {
357 ctx->error_message = talloc_asprintf(ctx,
358 "Failed to fetch %s database: %s",
359 samsync_database_str(database_id),
362 if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
365 talloc_asprintf_append(ctx->error_message,
366 "\nPerhaps %s is a Windows native mode domain?",
371 talloc_destroy(mem_ctx);
377 * pull_netr_AcctLockStr
380 NTSTATUS pull_netr_AcctLockStr(TALLOC_CTX *mem_ctx,
381 struct lsa_BinaryString *r,
382 struct netr_AcctLockStr **str_p)
384 struct netr_AcctLockStr *str;
385 enum ndr_err_code ndr_err;
388 if (!mem_ctx || !r || !str_p) {
389 return NT_STATUS_INVALID_PARAMETER;
394 str = TALLOC_ZERO_P(mem_ctx, struct netr_AcctLockStr);
396 return NT_STATUS_NO_MEMORY;
399 blob = data_blob_const(r->array, r->length);
401 ndr_err = ndr_pull_struct_blob(&blob, mem_ctx, str,
402 (ndr_pull_flags_fn_t)ndr_pull_netr_AcctLockStr);
404 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
405 return ndr_map_error2ntstatus(ndr_err);