#include "includes.h"
-#include "libnet/libnet.h"
-
-/**
- * Decrypt and extract the user's passwords.
- *
- * The writes decrypted (no longer 'RID encrypted' or arcfour encrypted)
- * passwords back into the structure
- */
-
-static NTSTATUS fix_user(TALLOC_CTX *mem_ctx,
- DATA_BLOB *session_key,
- bool rid_crypt,
- enum netr_SamDatabaseID database_id,
- struct netr_DELTA_ENUM *delta)
-{
-
- uint32_t rid = delta->delta_id_union.rid;
- struct netr_DELTA_USER *user = delta->delta_union.user;
- struct samr_Password lm_hash;
- struct samr_Password nt_hash;
-
- if (rid_crypt) {
- if (user->lm_password_present) {
- sam_pwd_hash(rid, user->lmpassword.hash, lm_hash.hash, 0);
- user->lmpassword = lm_hash;
- }
-
- if (user->nt_password_present) {
- sam_pwd_hash(rid, user->ntpassword.hash, nt_hash.hash, 0);
- user->ntpassword = nt_hash;
- }
- }
-
- if (user->user_private_info.SensitiveData) {
- DATA_BLOB data;
- struct netr_USER_KEYS keys;
- enum ndr_err_code ndr_err;
- data.data = user->user_private_info.SensitiveData;
- data.length = user->user_private_info.DataLength;
- SamOEMhashBlob(data.data, data.length, session_key);
- user->user_private_info.SensitiveData = data.data;
- user->user_private_info.DataLength = data.length;
-
- ndr_err = ndr_pull_struct_blob(&data, mem_ctx, NULL, &keys,
- (ndr_pull_flags_fn_t)ndr_pull_netr_USER_KEYS);
- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- dump_data(10, data.data, data.length);
- return ndr_map_error2ntstatus(ndr_err);
- }
-
- if (keys.keys.keys2.lmpassword.length == 16) {
- if (rid_crypt) {
- sam_pwd_hash(rid,
- keys.keys.keys2.lmpassword.pwd.hash,
- lm_hash.hash, 0);
- user->lmpassword = lm_hash;
- } else {
- user->lmpassword = keys.keys.keys2.lmpassword.pwd;
- }
- user->lm_password_present = true;
- }
- if (keys.keys.keys2.ntpassword.length == 16) {
- if (rid_crypt) {
- sam_pwd_hash(rid,
- keys.keys.keys2.ntpassword.pwd.hash,
- nt_hash.hash, 0);
- user->ntpassword = nt_hash;
- } else {
- user->ntpassword = keys.keys.keys2.ntpassword.pwd;
- }
- user->nt_password_present = true;
- }
- /* TODO: rid decrypt history fields */
- }
- return NT_STATUS_OK;
-}
-
-/**
- * Decrypt and extract the secrets
- *
- * The writes decrypted secrets back into the structure
- */
-static NTSTATUS fix_secret(TALLOC_CTX *mem_ctx,
- DATA_BLOB *session_key,
- enum netr_SamDatabaseID database_id,
- struct netr_DELTA_ENUM *delta)
-{
- struct netr_DELTA_SECRET *secret = delta->delta_union.secret;
-
- SamOEMhashBlob(secret->current_cipher.cipher_data,
- secret->current_cipher.maxlen,
- session_key);
-
- SamOEMhashBlob(secret->old_cipher.cipher_data,
- secret->old_cipher.maxlen,
- session_key);
-
- return NT_STATUS_OK;
-}
-
-/**
- * Fix up the delta, dealing with encryption issues so that the final
- * callback need only do the printing or application logic
- */
-
-static NTSTATUS samsync_fix_delta(TALLOC_CTX *mem_ctx,
- DATA_BLOB *session_key,
- bool rid_crypt,
- enum netr_SamDatabaseID database_id,
- struct netr_DELTA_ENUM *delta)
-{
- NTSTATUS status = NT_STATUS_OK;
-
- switch (delta->delta_type) {
- case NETR_DELTA_USER:
-
- status = fix_user(mem_ctx,
- session_key,
- rid_crypt,
- database_id,
- delta);
- break;
- case NETR_DELTA_SECRET:
-
- status = fix_secret(mem_ctx,
- session_key,
- database_id,
- delta);
- break;
- default:
- break;
- }
-
- return status;
-}
+#include "libnet/libnet_samsync.h"
+#include "../libcli/samsync/samsync.h"
+#include "../libcli/auth/libcli_auth.h"
+#include "rpc_client/rpc_client.h"
+#include "../librpc/gen_ndr/ndr_netlogon.h"
+#include "../librpc/gen_ndr/ndr_netlogon_c.h"
+#include "../libcli/security/security.h"
+#include "messages.h"
/**
* Fix up the delta, dealing with encryption issues so that the final
*/
static NTSTATUS samsync_fix_delta_array(TALLOC_CTX *mem_ctx,
- DATA_BLOB *session_key,
- bool rid_crypt,
+ struct netlogon_creds_CredentialState *creds,
enum netr_SamDatabaseID database_id,
struct netr_DELTA_ENUM_ARRAY *r)
{
for (i = 0; i < r->num_deltas; i++) {
status = samsync_fix_delta(mem_ctx,
- session_key,
- rid_crypt,
+ creds,
database_id,
&r->delta_enum[i]);
if (!NT_STATUS_IS_OK(status)) {
*ctx_p = NULL;
- ctx = TALLOC_ZERO_P(mem_ctx, struct samsync_context);
+ ctx = talloc_zero(mem_ctx, struct samsync_context);
NT_STATUS_HAVE_NO_MEMORY(ctx);
if (domain_sid) {
- ctx->domain_sid = sid_dup_talloc(mem_ctx, domain_sid);
+ ctx->domain_sid = dom_sid_dup(mem_ctx, domain_sid);
NT_STATUS_HAVE_NO_MEMORY(ctx->domain_sid);
ctx->domain_sid_str = sid_string_talloc(mem_ctx, ctx->domain_sid);
NT_STATUS_HAVE_NO_MEMORY(ctx->domain_sid_str);
}
+ ctx->msg_ctx = messaging_init(ctx, procid_self(),
+ event_context_init(ctx));
+ NT_STATUS_HAVE_NO_MEMORY(ctx->msg_ctx);
+
*ctx_p = ctx;
return NT_STATUS_OK;
* libnet_samsync
*/
-NTSTATUS libnet_samsync(enum netr_SamDatabaseID database_id,
- struct samsync_context *ctx)
+static void libnet_init_netr_ChangeLogEntry(struct samsync_object *o,
+ struct netr_ChangeLogEntry *e)
{
- NTSTATUS result;
- TALLOC_CTX *mem_ctx;
+ ZERO_STRUCTP(e);
+
+ e->db_index = o->database_id;
+ e->delta_type = o->object_type;
+
+ switch (e->delta_type) {
+ case NETR_DELTA_DOMAIN:
+ case NETR_DELTA_DELETE_GROUP:
+ case NETR_DELTA_RENAME_GROUP:
+ case NETR_DELTA_DELETE_USER:
+ case NETR_DELTA_RENAME_USER:
+ case NETR_DELTA_DELETE_ALIAS:
+ case NETR_DELTA_RENAME_ALIAS:
+ case NETR_DELTA_DELETE_TRUST:
+ case NETR_DELTA_DELETE_ACCOUNT:
+ case NETR_DELTA_DELETE_SECRET:
+ case NETR_DELTA_DELETE_GROUP2:
+ case NETR_DELTA_DELETE_USER2:
+ case NETR_DELTA_MODIFY_COUNT:
+ break;
+ case NETR_DELTA_USER:
+ case NETR_DELTA_GROUP:
+ case NETR_DELTA_GROUP_MEMBER:
+ case NETR_DELTA_ALIAS:
+ case NETR_DELTA_ALIAS_MEMBER:
+ e->object_rid = o->object_identifier.rid;
+ break;
+ case NETR_DELTA_SECRET:
+ e->object.object_name = o->object_identifier.name;
+ e->flags = NETR_CHANGELOG_NAME_INCLUDED;
+ break;
+ case NETR_DELTA_TRUSTED_DOMAIN:
+ case NETR_DELTA_ACCOUNT:
+ case NETR_DELTA_POLICY:
+ e->object.object_sid = o->object_identifier.sid;
+ e->flags = NETR_CHANGELOG_SID_INCLUDED;
+ break;
+ default:
+ break;
+ }
+}
+
+/**
+ * libnet_samsync_delta
+ */
+
+static NTSTATUS libnet_samsync_delta(TALLOC_CTX *mem_ctx,
+ enum netr_SamDatabaseID database_id,
+ uint64_t *sequence_num,
+ struct samsync_context *ctx,
+ struct netr_ChangeLogEntry *e)
+{
+ NTSTATUS result, status;
+ NTSTATUS callback_status;
const char *logon_server = ctx->cli->desthost;
- const char *computername = global_myname();
+ const char *computername = lp_netbios_name();
struct netr_Authenticator credential;
struct netr_Authenticator return_authenticator;
uint16_t restart_state = 0;
uint32_t sync_context = 0;
- const char *debug_str;
- DATA_BLOB session_key;
+ struct dcerpc_binding_handle *b = ctx->cli->binding_handle;
ZERO_STRUCT(return_authenticator);
- if (!(mem_ctx = talloc_init("libnet_samsync"))) {
- return NT_STATUS_NO_MEMORY;
- }
-
- debug_str = samsync_debug_str(mem_ctx, ctx->mode, database_id);
- if (debug_str) {
- d_fprintf(stderr, "%s\n", debug_str);
- }
-
do {
struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
- NTSTATUS callback_status;
-
- netlogon_creds_client_step(ctx->cli->dc, &credential);
-
- result = rpccli_netr_DatabaseSync2(ctx->cli, mem_ctx,
- logon_server,
- computername,
- &credential,
- &return_authenticator,
- database_id,
- restart_state,
- &sync_context,
- &delta_enum_array,
- 0xffff);
- if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED)) {
- return result;
+
+ netlogon_creds_client_authenticator(ctx->cli->dc, &credential);
+
+ if (ctx->single_object_replication &&
+ !ctx->force_full_replication) {
+ status = dcerpc_netr_DatabaseRedo(b, mem_ctx,
+ logon_server,
+ computername,
+ &credential,
+ &return_authenticator,
+ *e,
+ 0,
+ &delta_enum_array,
+ &result);
+ } else if (!ctx->force_full_replication &&
+ sequence_num && (*sequence_num > 0)) {
+ status = dcerpc_netr_DatabaseDeltas(b, mem_ctx,
+ logon_server,
+ computername,
+ &credential,
+ &return_authenticator,
+ database_id,
+ sequence_num,
+ &delta_enum_array,
+ 0xffff,
+ &result);
+ } else {
+ status = dcerpc_netr_DatabaseSync2(b, mem_ctx,
+ logon_server,
+ computername,
+ &credential,
+ &return_authenticator,
+ database_id,
+ restart_state,
+ &sync_context,
+ &delta_enum_array,
+ 0xffff,
+ &result);
+ }
+
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
/* Check returned credentials. */
return NT_STATUS_ACCESS_DENIED;
}
+ if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED)) {
+ return result;
+ }
+
if (NT_STATUS_IS_ERR(result)) {
break;
}
- session_key = data_blob_const(ctx->cli->dc->sess_key, 16);
-
samsync_fix_delta_array(mem_ctx,
- &session_key,
- false,
+ ctx->cli->dc,
database_id,
delta_enum_array);
/* Process results */
- callback_status = ctx->delta_fn(mem_ctx, database_id,
- delta_enum_array,
- NT_STATUS_IS_OK(result), ctx);
+ callback_status = ctx->ops->process_objects(mem_ctx, database_id,
+ delta_enum_array,
+ sequence_num,
+ ctx);
if (!NT_STATUS_IS_OK(callback_status)) {
result = callback_status;
goto out;
TALLOC_FREE(delta_enum_array);
- /* Increment sync_context */
- sync_context += 1;
-
} while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
out:
- if (NT_STATUS_IS_ERR(result) && !ctx->error_message) {
+
+ return result;
+}
+
+/**
+ * libnet_samsync
+ */
+
+NTSTATUS libnet_samsync(enum netr_SamDatabaseID database_id,
+ struct samsync_context *ctx)
+{
+ NTSTATUS status = NT_STATUS_OK;
+ NTSTATUS callback_status;
+ TALLOC_CTX *mem_ctx;
+ const char *debug_str;
+ uint64_t sequence_num = 0;
+ int i = 0;
+
+ if (!(mem_ctx = talloc_new(ctx))) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (!ctx->ops) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (ctx->ops->startup) {
+ status = ctx->ops->startup(mem_ctx, ctx,
+ database_id, &sequence_num);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+ }
+
+ debug_str = samsync_debug_str(mem_ctx, ctx->mode, database_id);
+ if (debug_str) {
+ d_fprintf(stderr, "%s\n", debug_str);
+ }
+
+ if (!ctx->single_object_replication) {
+ status = libnet_samsync_delta(mem_ctx, database_id,
+ &sequence_num, ctx, NULL);
+ goto done;
+ }
+
+ for (i=0; i<ctx->num_objects; i++) {
+
+ struct netr_ChangeLogEntry e;
+
+ if (ctx->objects[i].database_id != database_id) {
+ continue;
+ }
+
+ libnet_init_netr_ChangeLogEntry(&ctx->objects[i], &e);
+
+ status = libnet_samsync_delta(mem_ctx, database_id,
+ &sequence_num, ctx, &e);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+ }
+
+ done:
+
+ if (NT_STATUS_IS_OK(status) && ctx->ops->finish) {
+ callback_status = ctx->ops->finish(mem_ctx, ctx,
+ database_id, sequence_num);
+ if (!NT_STATUS_IS_OK(callback_status)) {
+ status = callback_status;
+ }
+ }
+
+ if (NT_STATUS_IS_ERR(status) && !ctx->error_message) {
ctx->error_message = talloc_asprintf(ctx,
"Failed to fetch %s database: %s",
samsync_database_str(database_id),
- nt_errstr(result));
+ nt_errstr(status));
- if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED)) {
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
ctx->error_message =
talloc_asprintf_append(ctx->error_message,
talloc_destroy(mem_ctx);
- return result;
+ return status;
}
/**
*str_p = NULL;
- str = TALLOC_ZERO_P(mem_ctx, struct netr_AcctLockStr);
+ str = talloc_zero(mem_ctx, struct netr_AcctLockStr);
if (!str) {
return NT_STATUS_NO_MEMORY;
}
blob = data_blob_const(r->array, r->length);
- ndr_err = ndr_pull_struct_blob(&blob, mem_ctx, NULL, str,
+ ndr_err = ndr_pull_struct_blob(&blob, mem_ctx, str,
(ndr_pull_flags_fn_t)ndr_pull_netr_AcctLockStr);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {