2 Unix SMB/CIFS implementation.
3 dump the remote SAM using rpc samsync operations
5 Copyright (C) Andrew Tridgell 2002
6 Copyright (C) Tim Potter 2001,2002
7 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2005
8 Modified by Volker Lendecke 2002
9 Copyright (C) Jeremy Allison 2005.
10 Copyright (C) Guenther Deschner 2008.
12 This program is free software; you can redistribute it and/or modify
13 it under the terms of the GNU General Public License as published by
14 the Free Software Foundation; either version 3 of the License, or
15 (at your option) any later version.
17 This program is distributed in the hope that it will be useful,
18 but WITHOUT ANY WARRANTY; without even the implied warranty of
19 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 GNU General Public License for more details.
22 You should have received a copy of the GNU General Public License
23 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #include "utils/net.h"
28 #include "../librpc/gen_ndr/ndr_netlogon.h"
29 #include "../librpc/gen_ndr/ndr_drsuapi.h"
30 #include "libnet/libnet_samsync.h"
31 #include "libnet/libnet_dssync.h"
32 #include "../libcli/security/security.h"
33 #include "passdb/machine_sid.h"
35 static void parse_samsync_partial_replication_objects(TALLOC_CTX
*mem_ctx
,
38 bool *do_single_object_replication
,
39 struct samsync_object
**objects
,
40 uint32_t *num_objects
)
45 *do_single_object_replication
= true;
48 for (i
=0; i
<argc
; i
++) {
50 struct samsync_object o
;
54 if (!strncasecmp_m(argv
[i
], "user_rid=", strlen("user_rid="))) {
55 o
.object_identifier
.rid
= get_int_param(argv
[i
]);
56 o
.object_type
= NETR_DELTA_USER
;
57 o
.database_id
= SAM_DATABASE_DOMAIN
;
59 if (!strncasecmp_m(argv
[i
], "group_rid=", strlen("group_rid="))) {
60 o
.object_identifier
.rid
= get_int_param(argv
[i
]);
61 o
.object_type
= NETR_DELTA_GROUP
;
62 o
.database_id
= SAM_DATABASE_DOMAIN
;
64 if (!strncasecmp_m(argv
[i
], "group_member_rid=", strlen("group_member_rid="))) {
65 o
.object_identifier
.rid
= get_int_param(argv
[i
]);
66 o
.object_type
= NETR_DELTA_GROUP_MEMBER
;
67 o
.database_id
= SAM_DATABASE_DOMAIN
;
69 if (!strncasecmp_m(argv
[i
], "alias_rid=", strlen("alias_rid="))) {
70 o
.object_identifier
.rid
= get_int_param(argv
[i
]);
71 o
.object_type
= NETR_DELTA_ALIAS
;
72 o
.database_id
= SAM_DATABASE_BUILTIN
;
74 if (!strncasecmp_m(argv
[i
], "alias_member_rid=", strlen("alias_member_rid="))) {
75 o
.object_identifier
.rid
= get_int_param(argv
[i
]);
76 o
.object_type
= NETR_DELTA_ALIAS_MEMBER
;
77 o
.database_id
= SAM_DATABASE_BUILTIN
;
79 if (!strncasecmp_m(argv
[i
], "account_sid=", strlen("account_sid="))) {
80 const char *sid_str
= get_string_param(argv
[i
]);
81 string_to_sid(&o
.object_identifier
.sid
, sid_str
);
82 o
.object_type
= NETR_DELTA_ACCOUNT
;
83 o
.database_id
= SAM_DATABASE_PRIVS
;
85 if (!strncasecmp_m(argv
[i
], "policy_sid=", strlen("policy_sid="))) {
86 const char *sid_str
= get_string_param(argv
[i
]);
87 string_to_sid(&o
.object_identifier
.sid
, sid_str
);
88 o
.object_type
= NETR_DELTA_POLICY
;
89 o
.database_id
= SAM_DATABASE_PRIVS
;
91 if (!strncasecmp_m(argv
[i
], "trustdom_sid=", strlen("trustdom_sid="))) {
92 const char *sid_str
= get_string_param(argv
[i
]);
93 string_to_sid(&o
.object_identifier
.sid
, sid_str
);
94 o
.object_type
= NETR_DELTA_TRUSTED_DOMAIN
;
95 o
.database_id
= SAM_DATABASE_PRIVS
;
97 if (!strncasecmp_m(argv
[i
], "secret_name=", strlen("secret_name="))) {
98 o
.object_identifier
.name
= get_string_param(argv
[i
]);
99 o
.object_type
= NETR_DELTA_SECRET
;
100 o
.database_id
= SAM_DATABASE_PRIVS
;
103 if (o
.object_type
> 0) {
104 ADD_TO_ARRAY(mem_ctx
, struct samsync_object
, o
,
105 objects
, num_objects
);
110 /* dump sam database via samsync rpc calls */
111 NTSTATUS
rpc_samdump_internals(struct net_context
*c
,
112 const struct dom_sid
*domain_sid
,
113 const char *domain_name
,
114 struct cli_state
*cli
,
115 struct rpc_pipe_client
*pipe_hnd
,
120 struct samsync_context
*ctx
= NULL
;
123 status
= libnet_samsync_init_context(mem_ctx
,
126 if (!NT_STATUS_IS_OK(status
)) {
130 ctx
->mode
= NET_SAMSYNC_MODE_DUMP
;
132 ctx
->netlogon_creds
= c
->netlogon_creds
;
133 ctx
->ops
= &libnet_samsync_display_ops
;
134 ctx
->domain_name
= domain_name
;
136 ctx
->force_full_replication
= c
->opt_force_full_repl
? true : false;
137 ctx
->clean_old_entries
= c
->opt_clean_old_entries
? true : false;
139 parse_samsync_partial_replication_objects(ctx
, argc
, argv
,
140 &ctx
->single_object_replication
,
144 libnet_samsync(SAM_DATABASE_DOMAIN
, ctx
);
146 libnet_samsync(SAM_DATABASE_BUILTIN
, ctx
);
148 libnet_samsync(SAM_DATABASE_PRIVS
, ctx
);
156 * Basic usage function for 'net rpc vampire'
158 * @param c A net_context structure
159 * @param argc Standard main() style argc
160 * @param argc Standard main() style argv. Initial components are already
164 int rpc_vampire_usage(struct net_context
*c
, int argc
, const char **argv
)
166 d_printf(_("net rpc vampire ([ldif [<ldif-filename>] | [keytab] "
167 "[<keytab-filename]) [options]\n"
168 "\t to pull accounts from a remote PDC where we are a BDC\n"
169 "\t\t no args puts accounts in local passdb from smb.conf\n"
170 "\t\t ldif - put accounts in ldif format (file defaults to "
172 "\t\t keytab - put account passwords in krb5 keytab "
173 "(defaults to system keytab)\n"));
175 net_common_flags_usage(c
, argc
, argv
);
179 static NTSTATUS
rpc_vampire_ds_internals(struct net_context
*c
,
180 const struct dom_sid
*domain_sid
,
181 const char *domain_name
,
182 struct cli_state
*cli
,
183 struct rpc_pipe_client
*pipe_hnd
,
189 struct dssync_context
*ctx
= NULL
;
191 if (!dom_sid_equal(domain_sid
, get_global_sam_sid())) {
192 d_printf(_("Cannot import users from %s at this time, "
193 "as the current domain:\n\t%s: %s\nconflicts "
194 "with the remote domain\n\t%s: %s\n"
195 "Perhaps you need to set: \n\n\tsecurity=user\n\t"
196 "workgroup=%s\n\n in your smb.conf?\n"),
198 get_global_sam_name(),
199 sid_string_dbg(get_global_sam_sid()),
201 sid_string_dbg(domain_sid
),
203 return NT_STATUS_UNSUCCESSFUL
;
206 status
= libnet_dssync_init_context(mem_ctx
,
208 if (!NT_STATUS_IS_OK(status
)) {
213 ctx
->domain_name
= domain_name
;
214 ctx
->ops
= &libnet_dssync_passdb_ops
;
216 status
= libnet_dssync(mem_ctx
, ctx
);
217 if (!NT_STATUS_IS_OK(status
) && ctx
->error_message
) {
218 d_fprintf(stderr
, "%s\n", ctx
->error_message
);
222 if (ctx
->result_message
) {
223 d_fprintf(stdout
, "%s\n", ctx
->result_message
);
232 /* dump sam database via samsync rpc calls */
233 static NTSTATUS
rpc_vampire_internals(struct net_context
*c
,
234 const struct dom_sid
*domain_sid
,
235 const char *domain_name
,
236 struct cli_state
*cli
,
237 struct rpc_pipe_client
*pipe_hnd
,
243 struct samsync_context
*ctx
= NULL
;
245 if (!dom_sid_equal(domain_sid
, get_global_sam_sid())) {
246 d_printf(_("Cannot import users from %s at this time, "
247 "as the current domain:\n\t%s: %s\nconflicts "
248 "with the remote domain\n\t%s: %s\n"
249 "Perhaps you need to set: \n\n\tsecurity=user\n\t"
250 "workgroup=%s\n\n in your smb.conf?\n"),
252 get_global_sam_name(),
253 sid_string_dbg(get_global_sam_sid()),
255 sid_string_dbg(domain_sid
),
257 return NT_STATUS_UNSUCCESSFUL
;
260 result
= libnet_samsync_init_context(mem_ctx
,
263 if (!NT_STATUS_IS_OK(result
)) {
267 ctx
->mode
= NET_SAMSYNC_MODE_FETCH_PASSDB
;
269 ctx
->ops
= &libnet_samsync_passdb_ops
;
270 ctx
->domain_name
= domain_name
;
272 ctx
->force_full_replication
= c
->opt_force_full_repl
? true : false;
273 ctx
->clean_old_entries
= c
->opt_clean_old_entries
? true : false;
275 parse_samsync_partial_replication_objects(ctx
, argc
, argv
,
276 &ctx
->single_object_replication
,
281 result
= libnet_samsync(SAM_DATABASE_DOMAIN
, ctx
);
283 if (!NT_STATUS_IS_OK(result
) && ctx
->error_message
) {
284 d_fprintf(stderr
, "%s\n", ctx
->error_message
);
288 if (ctx
->result_message
) {
289 d_fprintf(stdout
, "%s\n", ctx
->result_message
);
293 ctx
->domain_sid
= dom_sid_dup(mem_ctx
, &global_sid_Builtin
);
294 ctx
->domain_sid_str
= sid_string_talloc(mem_ctx
, ctx
->domain_sid
);
295 result
= libnet_samsync(SAM_DATABASE_BUILTIN
, ctx
);
297 if (!NT_STATUS_IS_OK(result
) && ctx
->error_message
) {
298 d_fprintf(stderr
, "%s\n", ctx
->error_message
);
302 if (ctx
->result_message
) {
303 d_fprintf(stdout
, "%s\n", ctx
->result_message
);
311 int rpc_vampire_passdb(struct net_context
*c
, int argc
, const char **argv
)
315 struct cli_state
*cli
= NULL
;
316 struct net_dc_info dc_info
;
318 if (c
->display_usage
) {
320 "net rpc vampire passdb\n"
323 _("Dump remote SAM database to passdb"));
327 status
= net_make_ipc_connection(c
, 0, &cli
);
328 if (!NT_STATUS_IS_OK(status
)) {
332 status
= net_scan_dc(c
, cli
, &dc_info
);
333 if (!NT_STATUS_IS_OK(status
)) {
337 if (!dc_info
.is_ad
) {
338 printf(_("DC is not running Active Directory\n"));
339 ret
= run_rpc_command(c
, cli
, &ndr_table_netlogon
,
341 rpc_vampire_internals
, argc
, argv
);
347 "net rpc vampire passdb\n"
350 _("Should not be used against Active Directory, maybe use --force"));
354 ret
= run_rpc_command(c
, cli
, &ndr_table_drsuapi
,
355 NET_FLAGS_SEAL
| NET_FLAGS_TCP
,
356 rpc_vampire_ds_internals
, argc
, argv
);
357 if (ret
!= 0 && dc_info
.is_mixed_mode
) {
358 printf(_("Fallback to NT4 vampire on Mixed-Mode AD "
360 ret
= run_rpc_command(c
, cli
, &ndr_table_netlogon
,
362 rpc_vampire_internals
, argc
, argv
);
368 static NTSTATUS
rpc_vampire_ldif_internals(struct net_context
*c
,
369 const struct dom_sid
*domain_sid
,
370 const char *domain_name
,
371 struct cli_state
*cli
,
372 struct rpc_pipe_client
*pipe_hnd
,
378 struct samsync_context
*ctx
= NULL
;
380 status
= libnet_samsync_init_context(mem_ctx
,
383 if (!NT_STATUS_IS_OK(status
)) {
388 ctx
->output_filename
= argv
[0];
391 parse_samsync_partial_replication_objects(ctx
, argc
-1, argv
+1,
392 &ctx
->single_object_replication
,
397 ctx
->mode
= NET_SAMSYNC_MODE_FETCH_LDIF
;
399 ctx
->ops
= &libnet_samsync_ldif_ops
;
400 ctx
->domain_name
= domain_name
;
402 ctx
->force_full_replication
= c
->opt_force_full_repl
? true : false;
403 ctx
->clean_old_entries
= c
->opt_clean_old_entries
? true : false;
406 status
= libnet_samsync(SAM_DATABASE_DOMAIN
, ctx
);
408 if (!NT_STATUS_IS_OK(status
) && ctx
->error_message
) {
409 d_fprintf(stderr
, "%s\n", ctx
->error_message
);
413 if (ctx
->result_message
) {
414 d_fprintf(stdout
, "%s\n", ctx
->result_message
);
418 ctx
->domain_sid
= dom_sid_dup(mem_ctx
, &global_sid_Builtin
);
419 ctx
->domain_sid_str
= sid_string_talloc(mem_ctx
, ctx
->domain_sid
);
420 status
= libnet_samsync(SAM_DATABASE_BUILTIN
, ctx
);
422 if (!NT_STATUS_IS_OK(status
) && ctx
->error_message
) {
423 d_fprintf(stderr
, "%s\n", ctx
->error_message
);
427 if (ctx
->result_message
) {
428 d_fprintf(stdout
, "%s\n", ctx
->result_message
);
436 int rpc_vampire_ldif(struct net_context
*c
, int argc
, const char **argv
)
438 if (c
->display_usage
) {
440 "net rpc vampire ldif\n"
443 _("Dump remote SAM database to LDIF file or "
448 return run_rpc_command(c
, NULL
, &ndr_table_netlogon
, 0,
449 rpc_vampire_ldif_internals
, argc
, argv
);
453 static NTSTATUS
rpc_vampire_keytab_internals(struct net_context
*c
,
454 const struct dom_sid
*domain_sid
,
455 const char *domain_name
,
456 struct cli_state
*cli
,
457 struct rpc_pipe_client
*pipe_hnd
,
463 struct samsync_context
*ctx
= NULL
;
465 status
= libnet_samsync_init_context(mem_ctx
,
468 if (!NT_STATUS_IS_OK(status
)) {
473 /* the caller should ensure that a filename is provided */
474 return NT_STATUS_INVALID_PARAMETER
;
476 ctx
->output_filename
= argv
[0];
479 parse_samsync_partial_replication_objects(ctx
, argc
-1, argv
+1,
480 &ctx
->single_object_replication
,
485 ctx
->mode
= NET_SAMSYNC_MODE_FETCH_KEYTAB
;
487 ctx
->ops
= &libnet_samsync_keytab_ops
;
488 ctx
->domain_name
= domain_name
;
489 ctx
->username
= c
->opt_user_name
;
490 ctx
->password
= c
->opt_password
;
492 ctx
->force_full_replication
= c
->opt_force_full_repl
? true : false;
493 ctx
->clean_old_entries
= c
->opt_clean_old_entries
? true : false;
496 status
= libnet_samsync(SAM_DATABASE_DOMAIN
, ctx
);
498 if (!NT_STATUS_IS_OK(status
) && ctx
->error_message
) {
499 d_fprintf(stderr
, "%s\n", ctx
->error_message
);
503 if (ctx
->result_message
) {
504 d_fprintf(stdout
, "%s\n", ctx
->result_message
);
513 static NTSTATUS
rpc_vampire_keytab_ds_internals(struct net_context
*c
,
514 const struct dom_sid
*domain_sid
,
515 const char *domain_name
,
516 struct cli_state
*cli
,
517 struct rpc_pipe_client
*pipe_hnd
,
523 struct dssync_context
*ctx
= NULL
;
525 status
= libnet_dssync_init_context(mem_ctx
,
527 if (!NT_STATUS_IS_OK(status
)) {
531 ctx
->force_full_replication
= c
->opt_force_full_repl
? true : false;
532 ctx
->clean_old_entries
= c
->opt_clean_old_entries
? true : false;
535 /* the caller should ensure that a filename is provided */
536 return NT_STATUS_INVALID_PARAMETER
;
538 ctx
->output_filename
= argv
[0];
542 ctx
->object_dns
= &argv
[1];
543 ctx
->object_count
= argc
- 1;
544 ctx
->single_object_replication
= c
->opt_single_obj_repl
? true
549 ctx
->domain_name
= domain_name
;
550 ctx
->ops
= &libnet_dssync_keytab_ops
;
552 status
= libnet_dssync(mem_ctx
, ctx
);
553 if (!NT_STATUS_IS_OK(status
) && ctx
->error_message
) {
554 d_fprintf(stderr
, "%s\n", ctx
->error_message
);
558 if (ctx
->result_message
) {
559 d_fprintf(stdout
, "%s\n", ctx
->result_message
);
569 * Basic function for 'net rpc vampire keytab'
571 * @param c A net_context structure
572 * @param argc Standard main() style argc
573 * @param argc Standard main() style argv. Initial components are already
577 int rpc_vampire_keytab(struct net_context
*c
, int argc
, const char **argv
)
581 struct cli_state
*cli
= NULL
;
582 struct net_dc_info dc_info
;
584 if (c
->display_usage
|| (argc
< 1)) {
587 _("net rpc vampire keytab <keytabfile>\n"
588 " Dump remote SAM database to Kerberos keytab "
593 status
= net_make_ipc_connection(c
, 0, &cli
);
594 if (!NT_STATUS_IS_OK(status
)) {
598 status
= net_scan_dc(c
, cli
, &dc_info
);
599 if (!NT_STATUS_IS_OK(status
)) {
603 if (!dc_info
.is_ad
) {
604 printf(_("DC is not running Active Directory\n"));
605 ret
= run_rpc_command(c
, cli
, &ndr_table_netlogon
,
607 rpc_vampire_keytab_internals
, argc
, argv
);
609 ret
= run_rpc_command(c
, cli
, &ndr_table_drsuapi
,
610 NET_FLAGS_SEAL
| NET_FLAGS_TCP
,
611 rpc_vampire_keytab_ds_internals
, argc
, argv
);
612 if (ret
!= 0 && dc_info
.is_mixed_mode
) {
613 printf(_("Fallback to NT4 vampire on Mixed-Mode AD "
615 ret
= run_rpc_command(c
, cli
, &ndr_table_netlogon
,
617 rpc_vampire_keytab_internals
, argc
, argv
);
620 printf(_("Vampire requested against AD DC but ADS"
621 " support not built in: HAVE_ADS is not defined\n"));