static NTSTATUS fix_user(TALLOC_CTX *mem_ctx,
DATA_BLOB *session_key,
- bool rid_crypt,
enum netr_SamDatabaseID database_id,
struct netr_DELTA_ENUM *delta)
{
struct netr_DELTA_USER *user = delta->delta_union.user;
struct samr_Password lm_hash;
struct samr_Password nt_hash;
+ unsigned char zero_buf[16];
- if (rid_crypt) {
- if (user->lm_password_present) {
+ memset(zero_buf, '\0', sizeof(zero_buf));
+
+ /* Note that win2000 may send us all zeros
+ * for the hashes if it doesn't
+ * think this channel is secure enough. */
+ if (user->lm_password_present) {
+ if (memcmp(user->lmpassword.hash, zero_buf, 16) != 0) {
sam_pwd_hash(rid, user->lmpassword.hash, lm_hash.hash, 0);
- user->lmpassword = lm_hash;
+ } else {
+ memset(lm_hash.hash, '\0', sizeof(lm_hash.hash));
}
+ user->lmpassword = lm_hash;
+ }
- if (user->nt_password_present) {
+ if (user->nt_password_present) {
+ if (memcmp(user->ntpassword.hash, zero_buf, 16) != 0) {
sam_pwd_hash(rid, user->ntpassword.hash, nt_hash.hash, 0);
- user->ntpassword = nt_hash;
+ } else {
+ memset(nt_hash.hash, '\0', sizeof(nt_hash.hash));
}
+ user->ntpassword = nt_hash;
}
if (user->user_private_info.SensitiveData) {
user->user_private_info.SensitiveData = data.data;
user->user_private_info.DataLength = data.length;
- ndr_err = ndr_pull_struct_blob(&data, mem_ctx, &keys,
+ ndr_err = ndr_pull_struct_blob(&data, mem_ctx, NULL, &keys,
(ndr_pull_flags_fn_t)ndr_pull_netr_USER_KEYS);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
dump_data(10, data.data, data.length);
return ndr_map_error2ntstatus(ndr_err);
}
+ /* Note that win2000 may send us all zeros
+ * for the hashes if it doesn't
+ * think this channel is secure enough. */
if (keys.keys.keys2.lmpassword.length == 16) {
- if (rid_crypt) {
+ if (memcmp(keys.keys.keys2.lmpassword.pwd.hash,
+ zero_buf, 16) != 0) {
sam_pwd_hash(rid,
- keys.keys.keys2.lmpassword.pwd.hash,
- lm_hash.hash, 0);
- user->lmpassword = lm_hash;
+ keys.keys.keys2.lmpassword.pwd.hash,
+ lm_hash.hash, 0);
} else {
- user->lmpassword = keys.keys.keys2.lmpassword.pwd;
+ memset(lm_hash.hash, '\0', sizeof(lm_hash.hash));
}
+ user->lmpassword = lm_hash;
user->lm_password_present = true;
}
if (keys.keys.keys2.ntpassword.length == 16) {
- if (rid_crypt) {
+ if (memcmp(keys.keys.keys2.ntpassword.pwd.hash,
+ zero_buf, 16) != 0) {
sam_pwd_hash(rid,
- keys.keys.keys2.ntpassword.pwd.hash,
- nt_hash.hash, 0);
- user->ntpassword = nt_hash;
+ keys.keys.keys2.ntpassword.pwd.hash,
+ nt_hash.hash, 0);
} else {
- user->ntpassword = keys.keys.keys2.ntpassword.pwd;
+ memset(nt_hash.hash, '\0', sizeof(nt_hash.hash));
}
+ user->ntpassword = nt_hash;
user->nt_password_present = true;
}
/* TODO: rid decrypt history fields */
static NTSTATUS samsync_fix_delta(TALLOC_CTX *mem_ctx,
DATA_BLOB *session_key,
- bool rid_crypt,
enum netr_SamDatabaseID database_id,
struct netr_DELTA_ENUM *delta)
{
status = fix_user(mem_ctx,
session_key,
- rid_crypt,
database_id,
delta);
break;
static NTSTATUS samsync_fix_delta_array(TALLOC_CTX *mem_ctx,
DATA_BLOB *session_key,
- bool rid_crypt,
enum netr_SamDatabaseID database_id,
struct netr_DELTA_ENUM_ARRAY *r)
{
status = samsync_fix_delta(mem_ctx,
session_key,
- rid_crypt,
database_id,
&r->delta_enum[i]);
if (!NT_STATUS_IS_OK(status)) {
* libnet_samsync
*/
-NTSTATUS libnet_samsync(enum netr_SamDatabaseID database_id,
- struct samsync_context *ctx)
+void libnet_init_netr_ChangeLogEntry(struct samsync_object *o,
+ struct netr_ChangeLogEntry *e)
+{
+ ZERO_STRUCTP(e);
+
+ e->db_index = o->database_id;
+ e->delta_type = o->object_type;
+
+ switch (e->delta_type) {
+ case NETR_DELTA_DOMAIN:
+ case NETR_DELTA_DELETE_GROUP:
+ case NETR_DELTA_RENAME_GROUP:
+ case NETR_DELTA_DELETE_USER:
+ case NETR_DELTA_RENAME_USER:
+ case NETR_DELTA_DELETE_ALIAS:
+ case NETR_DELTA_RENAME_ALIAS:
+ case NETR_DELTA_DELETE_TRUST:
+ case NETR_DELTA_DELETE_ACCOUNT:
+ case NETR_DELTA_DELETE_SECRET:
+ case NETR_DELTA_DELETE_GROUP2:
+ case NETR_DELTA_DELETE_USER2:
+ case NETR_DELTA_MODIFY_COUNT:
+ break;
+ case NETR_DELTA_USER:
+ case NETR_DELTA_GROUP:
+ case NETR_DELTA_GROUP_MEMBER:
+ case NETR_DELTA_ALIAS:
+ case NETR_DELTA_ALIAS_MEMBER:
+ e->object_rid = o->object_identifier.rid;
+ break;
+ case NETR_DELTA_SECRET:
+ e->object.object_name = o->object_identifier.name;
+ e->flags = NETR_CHANGELOG_NAME_INCLUDED;
+ break;
+ case NETR_DELTA_TRUSTED_DOMAIN:
+ case NETR_DELTA_ACCOUNT:
+ case NETR_DELTA_POLICY:
+ e->object.object_sid = o->object_identifier.sid;
+ e->flags = NETR_CHANGELOG_SID_INCLUDED;
+ break;
+ default:
+ break;
+ }
+}
+
+/**
+ * libnet_samsync_delta
+ */
+
+static NTSTATUS libnet_samsync_delta(enum netr_SamDatabaseID database_id,
+ struct samsync_context *ctx,
+ struct netr_ChangeLogEntry *e)
{
NTSTATUS result;
TALLOC_CTX *mem_ctx;
netlogon_creds_client_step(ctx->cli->dc, &credential);
- result = rpccli_netr_DatabaseSync2(ctx->cli, mem_ctx,
- logon_server,
- computername,
- &credential,
- &return_authenticator,
- database_id,
- restart_state,
- &sync_context,
- &delta_enum_array,
- 0xffff);
+ if (ctx->single_object_replication) {
+ result = rpccli_netr_DatabaseRedo(ctx->cli, mem_ctx,
+ logon_server,
+ computername,
+ &credential,
+ &return_authenticator,
+ *e,
+ 0,
+ &delta_enum_array);
+ } else {
+ result = rpccli_netr_DatabaseSync2(ctx->cli, mem_ctx,
+ logon_server,
+ computername,
+ &credential,
+ &return_authenticator,
+ database_id,
+ restart_state,
+ &sync_context,
+ &delta_enum_array,
+ 0xffff);
+ }
+
if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED)) {
return result;
}
samsync_fix_delta_array(mem_ctx,
&session_key,
- false,
database_id,
delta_enum_array);
return result;
}
+/**
+ * libnet_samsync
+ */
+
+NTSTATUS libnet_samsync(enum netr_SamDatabaseID database_id,
+ struct samsync_context *ctx)
+{
+ NTSTATUS status = NT_STATUS_OK;
+ int i = 0;
+
+ if (!ctx->single_object_replication) {
+ return libnet_samsync_delta(database_id, ctx, NULL);
+ }
+
+ for (i=0; i<ctx->num_objects; i++) {
+
+ struct netr_ChangeLogEntry e;
+
+ if (ctx->objects[i].database_id != database_id) {
+ continue;
+ }
+
+ libnet_init_netr_ChangeLogEntry(&ctx->objects[i], &e);
+
+ status = libnet_samsync_delta(database_id, ctx, &e);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ }
+
+ return status;
+}
+
/**
* pull_netr_AcctLockStr
*/
blob = data_blob_const(r->array, r->length);
- ndr_err = ndr_pull_struct_blob(&blob, mem_ctx, str,
+ ndr_err = ndr_pull_struct_blob(&blob, mem_ctx, NULL, str,
(ndr_pull_flags_fn_t)ndr_pull_netr_AcctLockStr);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {