2 Unix SMB/CIFS implementation.
4 Extract the user/system database from a remote SamSync server
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
7 Copyright (C) Guenther Deschner <gd@samba.org> 2008
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "libnet/libnet.h"
28 * Decrypt and extract the user's passwords.
30 * The writes decrypted (no longer 'RID encrypted' or arcfour encrypted)
31 * passwords back into the structure
34 static NTSTATUS
fix_user(TALLOC_CTX
*mem_ctx
,
35 DATA_BLOB
*session_key
,
36 enum netr_SamDatabaseID database_id
,
37 struct netr_DELTA_ENUM
*delta
)
40 uint32_t rid
= delta
->delta_id_union
.rid
;
41 struct netr_DELTA_USER
*user
= delta
->delta_union
.user
;
42 struct samr_Password lm_hash
;
43 struct samr_Password nt_hash
;
44 unsigned char zero_buf
[16];
46 memset(zero_buf
, '\0', sizeof(zero_buf
));
48 /* Note that win2000 may send us all zeros
49 * for the hashes if it doesn't
50 * think this channel is secure enough. */
51 if (user
->lm_password_present
) {
52 if (memcmp(user
->lmpassword
.hash
, zero_buf
, 16) != 0) {
53 sam_pwd_hash(rid
, user
->lmpassword
.hash
, lm_hash
.hash
, 0);
55 memset(lm_hash
.hash
, '\0', sizeof(lm_hash
.hash
));
57 user
->lmpassword
= lm_hash
;
60 if (user
->nt_password_present
) {
61 if (memcmp(user
->ntpassword
.hash
, zero_buf
, 16) != 0) {
62 sam_pwd_hash(rid
, user
->ntpassword
.hash
, nt_hash
.hash
, 0);
64 memset(nt_hash
.hash
, '\0', sizeof(nt_hash
.hash
));
66 user
->ntpassword
= nt_hash
;
69 if (user
->user_private_info
.SensitiveData
) {
71 struct netr_USER_KEYS keys
;
72 enum ndr_err_code ndr_err
;
73 data
.data
= user
->user_private_info
.SensitiveData
;
74 data
.length
= user
->user_private_info
.DataLength
;
75 SamOEMhashBlob(data
.data
, data
.length
, session_key
);
76 user
->user_private_info
.SensitiveData
= data
.data
;
77 user
->user_private_info
.DataLength
= data
.length
;
79 ndr_err
= ndr_pull_struct_blob(&data
, mem_ctx
, &keys
,
80 (ndr_pull_flags_fn_t
)ndr_pull_netr_USER_KEYS
);
81 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
82 dump_data(10, data
.data
, data
.length
);
83 return ndr_map_error2ntstatus(ndr_err
);
86 /* Note that win2000 may send us all zeros
87 * for the hashes if it doesn't
88 * think this channel is secure enough. */
89 if (keys
.keys
.keys2
.lmpassword
.length
== 16) {
90 if (memcmp(keys
.keys
.keys2
.lmpassword
.pwd
.hash
,
93 keys
.keys
.keys2
.lmpassword
.pwd
.hash
,
96 memset(lm_hash
.hash
, '\0', sizeof(lm_hash
.hash
));
98 user
->lmpassword
= lm_hash
;
99 user
->lm_password_present
= true;
101 if (keys
.keys
.keys2
.ntpassword
.length
== 16) {
102 if (memcmp(keys
.keys
.keys2
.ntpassword
.pwd
.hash
,
103 zero_buf
, 16) != 0) {
105 keys
.keys
.keys2
.ntpassword
.pwd
.hash
,
108 memset(nt_hash
.hash
, '\0', sizeof(nt_hash
.hash
));
110 user
->ntpassword
= nt_hash
;
111 user
->nt_password_present
= true;
113 /* TODO: rid decrypt history fields */
119 * Decrypt and extract the secrets
121 * The writes decrypted secrets back into the structure
123 static NTSTATUS
fix_secret(TALLOC_CTX
*mem_ctx
,
124 DATA_BLOB
*session_key
,
125 enum netr_SamDatabaseID database_id
,
126 struct netr_DELTA_ENUM
*delta
)
128 struct netr_DELTA_SECRET
*secret
= delta
->delta_union
.secret
;
130 SamOEMhashBlob(secret
->current_cipher
.cipher_data
,
131 secret
->current_cipher
.maxlen
,
134 SamOEMhashBlob(secret
->old_cipher
.cipher_data
,
135 secret
->old_cipher
.maxlen
,
142 * Fix up the delta, dealing with encryption issues so that the final
143 * callback need only do the printing or application logic
146 static NTSTATUS
samsync_fix_delta(TALLOC_CTX
*mem_ctx
,
147 DATA_BLOB
*session_key
,
148 enum netr_SamDatabaseID database_id
,
149 struct netr_DELTA_ENUM
*delta
)
151 NTSTATUS status
= NT_STATUS_OK
;
153 switch (delta
->delta_type
) {
154 case NETR_DELTA_USER
:
156 status
= fix_user(mem_ctx
,
161 case NETR_DELTA_SECRET
:
163 status
= fix_secret(mem_ctx
,
176 * Fix up the delta, dealing with encryption issues so that the final
177 * callback need only do the printing or application logic
180 static NTSTATUS
samsync_fix_delta_array(TALLOC_CTX
*mem_ctx
,
181 DATA_BLOB
*session_key
,
182 enum netr_SamDatabaseID database_id
,
183 struct netr_DELTA_ENUM_ARRAY
*r
)
188 for (i
= 0; i
< r
->num_deltas
; i
++) {
190 status
= samsync_fix_delta(mem_ctx
,
194 if (!NT_STATUS_IS_OK(status
)) {
203 * libnet_samsync_init_context
206 NTSTATUS
libnet_samsync_init_context(TALLOC_CTX
*mem_ctx
,
207 const struct dom_sid
*domain_sid
,
208 struct samsync_context
**ctx_p
)
210 struct samsync_context
*ctx
;
214 ctx
= TALLOC_ZERO_P(mem_ctx
, struct samsync_context
);
215 NT_STATUS_HAVE_NO_MEMORY(ctx
);
218 ctx
->domain_sid
= sid_dup_talloc(mem_ctx
, domain_sid
);
219 NT_STATUS_HAVE_NO_MEMORY(ctx
->domain_sid
);
221 ctx
->domain_sid_str
= sid_string_talloc(mem_ctx
, ctx
->domain_sid
);
222 NT_STATUS_HAVE_NO_MEMORY(ctx
->domain_sid_str
);
231 * samsync_database_str
234 static const char *samsync_database_str(enum netr_SamDatabaseID database_id
)
237 switch (database_id
) {
238 case SAM_DATABASE_DOMAIN
:
240 case SAM_DATABASE_BUILTIN
:
242 case SAM_DATABASE_PRIVS
:
253 static const char *samsync_debug_str(TALLOC_CTX
*mem_ctx
,
254 enum net_samsync_mode mode
,
255 enum netr_SamDatabaseID database_id
)
257 const char *action
= NULL
;
260 case NET_SAMSYNC_MODE_DUMP
:
261 action
= "Dumping (to stdout)";
263 case NET_SAMSYNC_MODE_FETCH_PASSDB
:
264 action
= "Fetching (to passdb)";
266 case NET_SAMSYNC_MODE_FETCH_LDIF
:
267 action
= "Fetching (to ldif)";
269 case NET_SAMSYNC_MODE_FETCH_KEYTAB
:
270 action
= "Fetching (to keytab)";
277 return talloc_asprintf(mem_ctx
, "%s %s database",
278 action
, samsync_database_str(database_id
));
285 void libnet_init_netr_ChangeLogEntry(struct samsync_object
*o
,
286 struct netr_ChangeLogEntry
*e
)
290 e
->db_index
= o
->database_id
;
291 e
->delta_type
= o
->object_type
;
293 switch (e
->delta_type
) {
294 case NETR_DELTA_DOMAIN
:
295 case NETR_DELTA_DELETE_GROUP
:
296 case NETR_DELTA_RENAME_GROUP
:
297 case NETR_DELTA_DELETE_USER
:
298 case NETR_DELTA_RENAME_USER
:
299 case NETR_DELTA_DELETE_ALIAS
:
300 case NETR_DELTA_RENAME_ALIAS
:
301 case NETR_DELTA_DELETE_TRUST
:
302 case NETR_DELTA_DELETE_ACCOUNT
:
303 case NETR_DELTA_DELETE_SECRET
:
304 case NETR_DELTA_DELETE_GROUP2
:
305 case NETR_DELTA_DELETE_USER2
:
306 case NETR_DELTA_MODIFY_COUNT
:
308 case NETR_DELTA_USER
:
309 case NETR_DELTA_GROUP
:
310 case NETR_DELTA_GROUP_MEMBER
:
311 case NETR_DELTA_ALIAS
:
312 case NETR_DELTA_ALIAS_MEMBER
:
313 e
->object_rid
= o
->object_identifier
.rid
;
315 case NETR_DELTA_SECRET
:
316 e
->object
.object_name
= o
->object_identifier
.name
;
317 e
->flags
= NETR_CHANGELOG_NAME_INCLUDED
;
319 case NETR_DELTA_TRUSTED_DOMAIN
:
320 case NETR_DELTA_ACCOUNT
:
321 case NETR_DELTA_POLICY
:
322 e
->object
.object_sid
= o
->object_identifier
.sid
;
323 e
->flags
= NETR_CHANGELOG_SID_INCLUDED
;
331 * libnet_samsync_delta
334 static NTSTATUS
libnet_samsync_delta(TALLOC_CTX
*mem_ctx
,
335 enum netr_SamDatabaseID database_id
,
336 uint64_t *sequence_num
,
337 struct samsync_context
*ctx
,
338 struct netr_ChangeLogEntry
*e
)
341 NTSTATUS callback_status
;
342 const char *logon_server
= ctx
->cli
->desthost
;
343 const char *computername
= global_myname();
344 struct netr_Authenticator credential
;
345 struct netr_Authenticator return_authenticator
;
346 uint16_t restart_state
= 0;
347 uint32_t sync_context
= 0;
348 DATA_BLOB session_key
;
350 ZERO_STRUCT(return_authenticator
);
353 struct netr_DELTA_ENUM_ARRAY
*delta_enum_array
= NULL
;
355 netlogon_creds_client_step(ctx
->cli
->dc
, &credential
);
357 if (ctx
->single_object_replication
&&
358 !ctx
->force_full_replication
) {
359 result
= rpccli_netr_DatabaseRedo(ctx
->cli
, mem_ctx
,
363 &return_authenticator
,
367 } else if (!ctx
->force_full_replication
&&
368 sequence_num
&& (*sequence_num
> 0)) {
369 result
= rpccli_netr_DatabaseDeltas(ctx
->cli
, mem_ctx
,
373 &return_authenticator
,
379 result
= rpccli_netr_DatabaseSync2(ctx
->cli
, mem_ctx
,
383 &return_authenticator
,
391 if (NT_STATUS_EQUAL(result
, NT_STATUS_NOT_SUPPORTED
)) {
395 /* Check returned credentials. */
396 if (!netlogon_creds_client_check(ctx
->cli
->dc
,
397 &return_authenticator
.cred
)) {
398 DEBUG(0,("credentials chain check failed\n"));
399 return NT_STATUS_ACCESS_DENIED
;
402 if (NT_STATUS_IS_ERR(result
)) {
406 session_key
= data_blob_const(ctx
->cli
->dc
->sess_key
, 16);
408 samsync_fix_delta_array(mem_ctx
,
413 /* Process results */
414 callback_status
= ctx
->ops
->process_objects(mem_ctx
, database_id
,
418 if (!NT_STATUS_IS_OK(callback_status
)) {
419 result
= callback_status
;
423 TALLOC_FREE(delta_enum_array
);
425 /* Increment sync_context */
428 } while (NT_STATUS_EQUAL(result
, STATUS_MORE_ENTRIES
));
439 NTSTATUS
libnet_samsync(enum netr_SamDatabaseID database_id
,
440 struct samsync_context
*ctx
)
442 NTSTATUS status
= NT_STATUS_OK
;
443 NTSTATUS callback_status
;
445 const char *debug_str
;
446 uint64_t sequence_num
= 0;
449 if (!(mem_ctx
= talloc_new(ctx
))) {
450 return NT_STATUS_NO_MEMORY
;
454 return NT_STATUS_INVALID_PARAMETER
;
457 if (ctx
->ops
->startup
) {
458 status
= ctx
->ops
->startup(mem_ctx
, ctx
,
459 database_id
, &sequence_num
);
460 if (!NT_STATUS_IS_OK(status
)) {
465 debug_str
= samsync_debug_str(mem_ctx
, ctx
->mode
, database_id
);
467 d_fprintf(stderr
, "%s\n", debug_str
);
470 if (!ctx
->single_object_replication
) {
471 status
= libnet_samsync_delta(mem_ctx
, database_id
,
472 &sequence_num
, ctx
, NULL
);
476 for (i
=0; i
<ctx
->num_objects
; i
++) {
478 struct netr_ChangeLogEntry e
;
480 if (ctx
->objects
[i
].database_id
!= database_id
) {
484 libnet_init_netr_ChangeLogEntry(&ctx
->objects
[i
], &e
);
486 status
= libnet_samsync_delta(mem_ctx
, database_id
,
487 &sequence_num
, ctx
, &e
);
488 if (!NT_STATUS_IS_OK(status
)) {
495 if (NT_STATUS_IS_OK(status
) && ctx
->ops
->finish
) {
496 callback_status
= ctx
->ops
->finish(mem_ctx
, ctx
,
497 database_id
, sequence_num
);
498 if (!NT_STATUS_IS_OK(callback_status
)) {
499 status
= callback_status
;
503 if (NT_STATUS_IS_ERR(status
) && !ctx
->error_message
) {
505 ctx
->error_message
= talloc_asprintf(ctx
,
506 "Failed to fetch %s database: %s",
507 samsync_database_str(database_id
),
510 if (NT_STATUS_EQUAL(status
, NT_STATUS_NOT_SUPPORTED
)) {
513 talloc_asprintf_append(ctx
->error_message
,
514 "\nPerhaps %s is a Windows native mode domain?",
519 talloc_destroy(mem_ctx
);
525 * pull_netr_AcctLockStr
528 NTSTATUS
pull_netr_AcctLockStr(TALLOC_CTX
*mem_ctx
,
529 struct lsa_BinaryString
*r
,
530 struct netr_AcctLockStr
**str_p
)
532 struct netr_AcctLockStr
*str
;
533 enum ndr_err_code ndr_err
;
536 if (!mem_ctx
|| !r
|| !str_p
) {
537 return NT_STATUS_INVALID_PARAMETER
;
542 str
= TALLOC_ZERO_P(mem_ctx
, struct netr_AcctLockStr
);
544 return NT_STATUS_NO_MEMORY
;
547 blob
= data_blob_const(r
->array
, r
->length
);
549 ndr_err
= ndr_pull_struct_blob(&blob
, mem_ctx
, str
,
550 (ndr_pull_flags_fn_t
)ndr_pull_netr_AcctLockStr
);
552 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
553 return ndr_map_error2ntstatus(ndr_err
);