2 Unix SMB/Netbios implementation.
6 Copyright (C) Tim Potter 2001
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25 static void decode_domain_info(SAM_DOMAIN_INFO *a)
28 printf("Domain Information\n");
29 printf("------------------\n");
31 unistr2_to_ascii(temp, &a->uni_dom_name, sizeof(temp)-1);
32 printf("\tDomain :%s\n", temp);
33 printf("\tMin password len :%d\n", a->min_pwd_len);
34 printf("\tpassword history len:%d\n", a->pwd_history_len);
35 printf("\tcreation time :%s\n", http_timestring(nt_time_to_unix(&a->creation_time)));
38 static void decode_sam_group_info(SAM_GROUP_INFO *a)
41 printf("\nDomain Group Information\n");
42 printf("------------------------\n");
44 unistr2_to_ascii(temp, &a->uni_grp_name, sizeof(temp)-1);
45 printf("\tGroup name :%s\n", temp);
46 unistr2_to_ascii(temp, &a->uni_grp_desc, sizeof(temp)-1);
47 printf("\tGroup description :%s\n", temp);
48 printf("\trid :%d\n", a->gid.g_rid);
49 printf("\tattribute :%d\n", a->gid.attr);
52 static void decode_sam_account_info(SAM_ACCOUNT_INFO *a)
55 printf("\nUser Information\n");
56 printf("----------------\n");
58 unistr2_to_ascii(temp, &a->uni_acct_name, sizeof(temp)-1);
59 printf("\tUser name :%s\n", temp);
60 printf("\tuser's rid :%d\n", a->user_rid);
61 printf("\tuser's primary gid :%d\n", a->group_rid);
62 unistr2_to_ascii(temp, &a->uni_full_name, sizeof(temp)-1);
63 printf("\tfull name :%s\n", temp);
64 unistr2_to_ascii(temp, &a->uni_home_dir, sizeof(temp)-1);
65 printf("\thome directory :%s\n", temp);
66 unistr2_to_ascii(temp, &a->uni_dir_drive, sizeof(temp)-1);
67 printf("\tdrive :%s\n", temp);
68 unistr2_to_ascii(temp, &a->uni_logon_script, sizeof(temp)-1);
69 printf("\tlogon script :%s\n", temp);
70 unistr2_to_ascii(temp, &a->uni_acct_desc, sizeof(temp)-1);
71 printf("\tdescription :%s\n", temp);
72 unistr2_to_ascii(temp, &a->uni_workstations, sizeof(temp)-1);
73 printf("\tworkstations :%s\n", temp);
76 static void decode_sam_grp_mem_info(SAM_GROUP_MEM_INFO *a)
79 printf("\nGroup members information\n");
80 printf("-------------------------\n");
81 printf("\tnum members :%d\n", a->num_members);
83 for (i=0; i<a->num_members; i++) {
84 printf("\trid, attr:%d, %d\n", a->rids[i], a->attribs[i]);
88 static void decode_sam_alias_info(SAM_ALIAS_INFO *a)
91 printf("\nAlias Information\n");
92 printf("-----------------\n");
94 unistr2_to_ascii(temp, &a->uni_als_name, sizeof(temp)-1);
95 printf("\tname :%s\n", temp);
96 unistr2_to_ascii(temp, &a->uni_als_desc, sizeof(temp)-1);
97 printf("\tdescription :%s\n", temp);
98 printf("\trid :%d\n", a->als_rid);
101 static void decode_sam_als_mem_info(SAM_ALIAS_MEM_INFO *a)
105 printf("\nAlias members Information\n");
106 printf("-------------------------\n");
107 printf("\tnum members :%d\n", a->num_members);
108 printf("\tnum sids :%d\n", a->num_sids);
109 for (i=0; i<a->num_sids; i++) {
110 printf("\tsid :%s\n", sid_to_string(temp, &a->sids[i].sid));
116 static void decode_sam_dom_info(SAM_DELTA_DOM *a)
119 printf("\nDomain information\n");
120 printf("------------------\n");
122 unistr2_to_ascii(temp, &a->domain_name, sizeof(temp)-1);
123 printf("\tdomain name :%s\n", temp);
124 printf("\tsid :%s\n", sid_to_string(temp, &a->domain_sid.sid));
127 static void decode_sam_unk0e_info(SAM_DELTA_UNK0E *a)
130 printf("\nTrust information\n");
131 printf("-----------------\n");
133 unistr2_to_ascii(temp, &a->domain, sizeof(temp)-1);
134 printf("\tdomain name :%s\n", temp);
135 printf("\tsid :%s\n", sid_to_string(temp, &a->sid.sid));
136 display_sec_desc(a->sec_desc);
139 static void decode_sam_privs_info(SAM_DELTA_PRIVS *a)
143 printf("\nSID and privileges information\n");
144 printf("------------------------------\n");
145 printf("\tsid :%s\n", sid_to_string(temp, &a->sid.sid));
146 display_sec_desc(a->sec_desc);
147 printf("\tprivileges count :%d\n", a->privlist_count);
148 for (i=0; i<a->privlist_count; i++) {
149 unistr2_to_ascii(temp, &a->uni_privslist[i], sizeof(temp)-1);
150 printf("\tprivilege name :%s\n", temp);
151 printf("\tattribute :%d\n", a->attributes[i]);
155 static void decode_sam_unk12_info(SAM_DELTA_UNK12 *a)
158 printf("\nTrusted information\n");
159 printf("-------------------\n");
161 unistr2_to_ascii(temp, &a->secret, sizeof(temp)-1);
162 printf("\tsecret name :%s\n", temp);
163 display_sec_desc(a->sec_desc);
165 printf("\ttime 1 :%s\n", http_timestring(nt_time_to_unix(&a->time1)));
166 printf("\ttime 2 :%s\n", http_timestring(nt_time_to_unix(&a->time2)));
168 display_sec_desc(a->sec_desc2);
171 static void decode_sam_stamp(SAM_DELTA_STAMP *a)
173 printf("\nStamp information\n");
174 printf("-----------------\n");
175 printf("\tsequence number :%d\n", a->seqnum);
178 static void decode_sam_deltas(uint32 num_deltas, SAM_DELTA_HDR *hdr_deltas, SAM_DELTA_CTR *deltas)
181 for (i = 0; i < num_deltas; i++) {
182 switch (hdr_deltas[i].type) {
183 case SAM_DELTA_DOMAIN_INFO: {
185 a = &deltas[i].domain_info;
186 decode_domain_info(a);
189 case SAM_DELTA_GROUP_INFO: {
191 a = &deltas[i].group_info;
192 decode_sam_group_info(a);
195 case SAM_DELTA_ACCOUNT_INFO: {
197 a = &deltas[i].account_info;
198 decode_sam_account_info(a);
201 case SAM_DELTA_GROUP_MEM: {
202 SAM_GROUP_MEM_INFO *a;
203 a = &deltas[i].grp_mem_info;
204 decode_sam_grp_mem_info(a);
207 case SAM_DELTA_ALIAS_INFO: {
209 a = &deltas[i].alias_info;
210 decode_sam_alias_info(a);
213 case SAM_DELTA_ALIAS_MEM: {
214 SAM_ALIAS_MEM_INFO *a;
215 a = &deltas[i].als_mem_info;
216 decode_sam_als_mem_info(a);
219 case SAM_DELTA_DOM_INFO: {
221 a = &deltas[i].dom_info;
222 decode_sam_dom_info(a);
225 case SAM_DELTA_UNK0E_INFO: {
227 a = &deltas[i].unk0e_info;
228 decode_sam_unk0e_info(a);
231 case SAM_DELTA_PRIVS_INFO: {
233 a = &deltas[i].privs_info;
234 decode_sam_privs_info(a);
237 case SAM_DELTA_UNK12_INFO: {
239 a = &deltas[i].unk12_info;
240 decode_sam_unk12_info(a);
243 case SAM_DELTA_SAM_STAMP: {
245 a = &deltas[i].stamp;
250 DEBUG(0,("unknown delta type: %d\n", hdr_deltas[i].type));
256 /* Synchronise sam database */
258 static NTSTATUS sam_sync(struct cli_state *cli, unsigned char trust_passwd[16],
259 BOOL do_smbpasswd_output, BOOL verbose)
262 SAM_DELTA_HDR *hdr_deltas_0, *hdr_deltas_1, *hdr_deltas_2;
263 SAM_DELTA_CTR *deltas_0, *deltas_1, *deltas_2;
264 uint32 num_deltas_0, num_deltas_1, num_deltas_2;
265 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
270 if (!(mem_ctx = talloc_init())) {
271 DEBUG(0,("talloc_init failed\n"));
275 if (!cli_nt_session_open (cli, PIPE_NETLOGON)) {
276 DEBUG(0, ("Could not initialize netlogon pipe!\n"));
280 /* Request a challenge */
282 if (!NT_STATUS_IS_OK(new_cli_nt_setup_creds(cli, trust_passwd))) {
283 DEBUG(0, ("Error initialising session creds\n"));
287 /* on first call the returnAuthenticator is empty */
288 memset(&ret_creds, 0, sizeof(ret_creds));
290 /* Do sam synchronisation on the SAM database*/
292 result = cli_netlogon_sam_sync(cli, mem_ctx, &ret_creds, 0, &num_deltas_0, &hdr_deltas_0, &deltas_0);
294 if (!NT_STATUS_IS_OK(result))
299 decode_sam_deltas(num_deltas_0, hdr_deltas_0, deltas_0);
303 * we can't yet do several sam_sync in a raw, it's a credential problem
304 * we must chain the credentials
308 /* Do sam synchronisation on the LSA database */
310 result = cli_netlogon_sam_sync(cli, mem_ctx, &ret_creds, 2, &num_deltas_2, &hdr_deltas_2, &deltas_2);
312 if (!NT_STATUS_IS_OK(result))
317 decode_sam_deltas(num_deltas_2, hdr_deltas_2, deltas_2);
320 /* Produce smbpasswd output - good for migrating from NT! */
322 if (do_smbpasswd_output) {
325 for (i = 0; i < num_deltas_0; i++) {
327 fstring acct_name, hex_nt_passwd, hex_lm_passwd;
328 uchar lm_passwd[16], nt_passwd[16];
330 /* Skip non-user accounts */
332 if (hdr_deltas_0[i].type != SAM_DELTA_ACCOUNT_INFO)
335 a = &deltas_0[i].account_info;
337 unistr2_to_ascii(acct_name, &a->uni_acct_name,
338 sizeof(acct_name) - 1);
340 /* Decode hashes from password hash */
342 sam_pwd_hash(a->user_rid, a->pass.buf_lm_pwd,
344 sam_pwd_hash(a->user_rid, a->pass.buf_nt_pwd,
347 /* Encode as strings */
349 smbpasswd_sethexpwd(hex_lm_passwd, lm_passwd,
351 smbpasswd_sethexpwd(hex_nt_passwd, nt_passwd,
354 /* Display user info */
356 printf("%s:%d:%s:%s:%s:LCT-0\n", acct_name,
357 a->user_rid, hex_lm_passwd, hex_nt_passwd,
358 smbpasswd_encode_acb_info(a->acb_info));
367 cli_nt_session_close(cli);
368 talloc_destroy(mem_ctx);
373 /* Replicate sam deltas */
375 static NTSTATUS sam_repl(struct cli_state *cli, unsigned char trust_passwde[16],
378 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
383 /* Print usage information */
385 static void usage(void)
387 printf("Usage: samsync [options]\n");
389 printf("\t-d debuglevel set the debuglevel\n");
390 printf("\t-h Print this help message.\n");
391 printf("\t-s configfile specify an alternative config file\n");
392 printf("\t-S synchronise sam database\n");
393 printf("\t-R replicate sam deltas\n");
394 printf("\t-U username username and password\n");
395 printf("\t-p produce smbpasswd output\n");
396 printf("\t-V verbose output\n");
400 /* Initialise client credentials for authenticated pipe access */
402 void init_rpcclient_creds(struct ntuser_creds *creds, char* username,
403 char* domain, char* password)
407 if (lp_encrypted_passwords()) {
408 pwd_make_lm_nt_16(&creds->pwd, password);
410 pwd_set_cleartext(&creds->pwd, password);
413 fstrcpy(creds->user_name, username);
414 fstrcpy(creds->domain, domain);
417 creds->pwd.null_pwd = True;
421 /* Connect to primary domain controller */
423 static struct cli_state *init_connection(struct cli_state *cli,
424 char *username, char *domain,
427 struct ntuser_creds creds;
428 extern pstring global_myname;
429 struct in_addr *dest_ip;
430 struct nmb_name calling, called;
434 /* Initialise cli_state information */
438 if (!cli_initialise(cli)) {
442 init_rpcclient_creds(&creds, username, domain, password);
443 cli_init_creds(cli, &creds);
445 /* Look up name of PDC controller */
447 if (!get_dc_list(True, lp_workgroup(), &dest_ip, &count)) {
448 DEBUG(0, ("Cannot find domain controller for domain %s\n",
453 if (!lookup_dc_name(global_myname, lp_workgroup(), dest_ip,
455 DEBUG(0, ("Could not lookup up PDC name for domain %s\n",
460 get_myname((*global_myname)?NULL:global_myname);
461 strupper(global_myname);
463 make_nmb_name(&called, dns_to_netbios_name(dest_host), 0x20);
464 make_nmb_name(&calling, dns_to_netbios_name(global_myname), 0);
466 /* Establish a SMB connection */
468 if (!cli_establish_connection(cli, dest_host, dest_ip, &calling,
469 &called, "IPC$", "IPC", False, True)) {
478 int main(int argc, char **argv)
480 BOOL do_sam_sync = False, do_sam_repl = False;
481 struct cli_state cli;
485 BOOL interactive = False, do_smbpasswd_output = False;
486 BOOL verbose = False;
487 uint32 low_serial = 0;
488 unsigned char trust_passwd[16];
489 fstring username, domain, password;
496 ZERO_STRUCT(username);
498 ZERO_STRUCT(password);
500 /* Parse command line options */
502 while((opt = getopt(argc, argv, "s:d:SR:hiU:W:pV")) != EOF) {
505 pstrcpy(dyn_CONFIGFILE, optarg);
508 DEBUGLEVEL = atoi(optarg);
515 low_serial = atoi(optarg);
523 fstrcpy(username,optarg);
524 if ((lp=strchr_m(username,'%'))) {
526 fstrcpy(password,lp+1);
527 memset(strchr_m(optarg, '%') + 1, 'X',
533 pstrcpy(domain, optarg);
536 do_smbpasswd_output = True;
555 /* Initialise samba */
557 slprintf(logfile, sizeof(logfile) - 1, "%s/log.%s", dyn_LOGFILEBASE,
559 lp_set_logfile(logfile);
561 setup_logging("samsync", interactive);
566 if (!lp_load(dyn_CONFIGFILE, True, False, False)) {
567 fprintf(stderr, "Can't load %s\n", dyn_CONFIGFILE);
572 /* Check arguments make sense */
574 if (do_sam_sync && do_sam_repl) {
575 fprintf(stderr, "cannot specify both -S and -R\n");
580 if (!do_sam_sync && !do_sam_repl) {
581 fprintf(stderr, "must specify either -S or -R\n");
585 if (do_sam_repl && low_serial == 0) {
586 fprintf(stderr, "serial number must be positive\n");
590 /* BDC operations require the machine account password */
592 if (!secrets_init()) {
593 DEBUG(0, ("Unable to initialise secrets database\n"));
597 if (!secrets_fetch_trust_account_password(lp_workgroup(),
598 trust_passwd, NULL)) {
599 DEBUG(0, ("could not fetch trust account password\n"));
603 /* Perform sync or replication */
605 if (!init_connection(&cli, username, domain, password))
609 result = sam_sync(&cli, trust_passwd, do_smbpasswd_output, verbose);
612 result = sam_repl(&cli, trust_passwd, low_serial);
614 if (!NT_STATUS_IS_OK(result)) {
615 DEBUG(0, ("%s\n", get_nt_error_msg(result)));