sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-11 05:18:09 +03:00
Code

r12336: A couple of fixes and enhancements for adssearch.pl (espc. to debug

Browse Source 
GPOs).

sid2string fix from Michael James <michael@james.st>.

Guenther
(This used to be commit 9424b65c70)
This commit is contained in:
Günther Deschner 2005-12-19 02:15:13 +00:00 committed by Gerald (Jerry) Carter
parent 28fb5b6f97
commit c32197dd22
1 changed files with 293 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

369
examples/misc/adssearch.pl
View File

@ -55,6 +55,7 @@ my $realm = "";
# parse input
my (
$opt_asq,
$opt_base,
$opt_binddn,
$opt_debug,
@ -77,10 +78,12 @@ my (
$opt_simpleauth,
$opt_starttls,
$opt_user,
$opt_verbose,
$opt_workgroup,
);
GetOptions(
'asq=s' => \$opt_asq,
'base|b=s' => \$opt_base,
'D|DN=s' => \$opt_binddn,
'debug=i' => \$opt_debug,
@ -102,6 +105,7 @@ GetOptions(
'simpleauth|x' => \$opt_simpleauth,
'tls|Z' => \$opt_starttls,
'user|U=s' => \$opt_user,
'verbose|v' => \$opt_verbose,
'wknguid' => \$opt_dump_wknguid,
'workgroup|k=s' => \$opt_workgroup,
);
@ -129,11 +133,12 @@ my ($sasl_hd, $async_ldap_hd, $sync_ldap_hd);
my ($mesg, $usn);
my (%entry_store);
my $async_search;
my (%ads_atype, %ads_gtype, %ads_uf);
my (%ads_atype, %ads_gtype, %ads_grouptype, %ads_uf);
# fixed values and vars
my $set = "X";
my $unset = "-";
my $tabsize = "\t\t\t";
# get defaults
my $scope = $opt_scope || "sub";
@ -219,9 +224,112 @@ my %ads_instance_type = (
);
my %ads_uacc = (
"ACCOUNT_NEVER_EXPIRES" => 0x000000, # 0
"ACCOUNT_OK" => 0x800000, # 8388608
"ACCOUNT_LOCKED_OUT" => 0x800010, # 8388624
"ACCOUNT_NEVER_EXPIRES" => 0x000000, # 0
"ACCOUNT_OK" => 0x800000, # 8388608
"ACCOUNT_LOCKED_OUT" => 0x800010, # 8388624
);
my %ads_gpoptions = (
"GPOPTIONS_INHERIT" => 0,
"GPOPTIONS_BLOCK_INHERITANCE" => 1,
);
my %ads_gplink_opts = (
"GPLINK_OPT_NONE" => 0,
"GPLINK_OPT_DISABLED" => 1,
"GPLINK_OPT_ENFORCED" => 2,
);
my %ads_gpflags = (
"GPFLAGS_ALL_ENABLED" => 0,
"GPFLAGS_USER_SETTINGS_DISABLED" => 1,
"GPFLAGS_MACHINE_SETTINGS_DISABLED" => 2,
"GPFLAGS_ALL_DISABLED" => 3,
);
my %ads_serverstate = (
"SERVER_ENABLED" => 1,
"SERVER_DISABLED" => 2,
);
my %ads_sdeffective = (
"OWNER_SECURITY_INFORMATION" => 0x01,
"DACL_SECURITY_INFORMATION" => 0x04,
"SACL_SECURITY_INFORMATION" => 0x10,
);
my %ads_trustattrs = (
"TRUST_ATTRIBUTE_NON_TRANSITIVE" => 1,
"TRUST_ATTRIBUTE_TREE_PARENT" => 2,
"TRUST_ATTRIBUTE_TREE_ROOT" => 3,
"TRUST_ATTRIBUTE_UPLEVEL_ONLY" => 4,
);
my %ads_trustdirection = (
"TRUST_DIRECTION_INBOUND" => 1,
"TRUST_DIRECTION_OUTBOUND" => 2,
"TRUST_DIRECTION_BIDIRECTIONAL" => 3,
);
my %ads_trusttype = (
"TRUST_TYPE_DOWNLEVEL" => 1,
"TRUST_TYPE_UPLEVEL" => 2,
"TRUST_TYPE_KERBEROS" => 3,
"TRUST_TYPE_DCE" => 4,
);
my %ads_pwdproperties = (
"DOMAIN_PASSWORD_COMPLEX" => 1,
"DOMAIN_PASSWORD_NO_ANON_CHANGE" => 2,
"DOMAIN_PASSWORD_NO_CLEAR_CHANGE" => 4,
"DOMAIN_LOCKOUT_ADMINS" => 8,
"DOMAIN_PASSWORD_STORE_CLEARTEXT" => 16,
"DOMAIN_REFUSE_PASSWORD_CHANGE" => 32,
);
my %ads_uascompat = (
"LANMAN_USER_ACCOUNT_SYSTEM_NOLIMITS" => 0,
"LANMAN_USER_ACCOUNT_SYSTEM_COMPAT" => 1,
);
my %ads_frstypes = (
"REPLICA_SET_SYSVOL" => 2, # unsure
"REPLICA_SET_DFS" => 1, # unsure
"REPLICA_SET_OTHER" => 0, # unsure
);
my %ads_gp_cse_extensions = (
"Administrative Templates Extension" => "35378EAC-683F-11D2-A89A-00C04FBBCFA2",
"Disk Quotas" => "3610EDA5-77EF-11D2-8DC5-00C04FA31A66",
"EFS Recovery" => "B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A",
"Folder Redirection" => "25537BA6-77A8-11D2-9B6C-0000F8080861",
"IP Security" => "E437BC1C-AA7D-11D2-A382-00C04F991E27",
"Internet Explorer Maintenance" => "A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B",
"QoS Packet Scheduler" => "426031c0-0b47-4852-b0ca-ac3d37bfcb39",
"Scripts" => "42B5FAAE-6536-11D2-AE5A-0000F87571E3",
"Security" => "827D319E-6EAC-11D2-A4EA-00C04F79F83A",
"Software Installation" => "C6DC5466-785A-11D2-84D0-00C04FB169F7",
);
# guess work
my %ads_gpcextensions = (
"Administrative Templates" => "0F6B957D-509E-11D1-A7CC-0000F87571E3",
"Certificates" => "53D6AB1D-2488-11D1-A28C-00C04FB94F17",
"EFS recovery policy processing" => "B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A",
"Folder Redirection policy processing" => "25537BA6-77A8-11D2-9B6C-0000F8080861",
"Folder Redirection" => "88E729D6-BDC1-11D1-BD2A-00C04FB9603F",
"Registry policy processing" => "35378EAC-683F-11D2-A89A-00C04FBBCFA2",
"Remote Installation Services" => "3060E8CE-7020-11D2-842D-00C04FA372D4",
"Security Settings" => "803E14A0-B4FB-11D0-A0D0-00A0C90F574B",
"Security policy processing" => "827D319E-6EAC-11D2-A4EA-00C04F79F83A",
"unknown" => "3060E8D0-7020-11D2-842D-00C04FA372D4",
"unknown2" => "53D6AB1B-2488-11D1-A28C-00C04FB94F17",
);
my %ads_gpo_default_guids = (
"Default Domain Policy" => "31B2F340-016D-11D2-945F-00C04FB984F9",
"Default Domain Controllers Policy" => "6AC1786C-016F-11D2-945F-00C04fB984F9",
"mist" => "61718096-3D3F-4398-8318-203A48976F9E",
);
my %munged_dial = (
@ -243,7 +351,6 @@ my %munged_dial = (
"CtxCallbackNumber" => \&dump_string,
);
$SIG{__WARN__} = sub {
use Carp;
Carp::cluck (shift);
@ -299,45 +406,67 @@ if (!$password) {
}
my %attr_handler = (
"Token-Groups-No-GC-Acceptable" => \&dump_sid, #wrong name
"accountExpires" => \&dump_nttime,
"badPasswordTime" => \&dump_nttime,
"creationTime" => \&dump_nttime,
"currentTime" => \&dump_timestr,
"domainControllerFunctionality" => \&dump_ds_func,
"domainFunctionality" => \&dump_ds_func,
"dSCorePropagationData" => \&dump_timestr,
"fRSReplicaSetGUID" => \&dump_guid,
"fRSReplicaSetType" => \&dump_frstype,
"fRSVersionGUID" => \&dump_guid,
"flags" => \&dump_gpflags, # fixme: possibly only on gpos!
"forceLogoff" => \&dump_nttime_abs,
"forestFunctionality" => \&dump_ds_func,
# "gPCMachineExtensionNames" => \&dump_gpcextensions,
# "gPCUserExtensionNames" => \&dump_gpcextensions,
"gPLink" => \&dump_gplink,
"gPOptions" => \&dump_gpoptions,
"groupType" => \&dump_gtype,
"instanceType" => \&dump_instance_type,
"lastLogon" => \&dump_nttime,
"lastLogonTimestamp" => \&dump_nttime,
"lockoutTime" => \&dump_nttime,
"lockoutDuration" => \&dump_nttime_abs,
"lockOutObservationWindow" => \&dump_nttime_abs,
# "logonHours" => \&dump_not_yet,
"lockoutDuration" => \&dump_nttime_abs,
"lockoutTime" => \&dump_nttime,
# "logonHours" => \&dump_logonhours,
"maxPwdAge" => \&dump_nttime_abs,
"minPwdAge" => \&dump_nttime_abs,
"modifyTimeStamp" => \&dump_timestr,
"msDS-Behavior-Version" => \&dump_ds_func, #unsure
"msDS-User-Account-Control-Computed" => \&dump_uacc,
# "msRADIUSFramedIPAddress" => \&dump_ipaddr,
# "msRASSavedFramedIPAddress" => \&dump_ipaddr,
"ntMixedDomain" => \&dump_mixed_domain,
"nTMixedDomain" => \&dump_mixed_domain,
"nTSecurityDescriptor" => \&dump_secdesc,
"objectGUID" => \&dump_guid,
"objectSid" => \&dump_sid,
"pKT" => \&dump_pkt,
"pKTGuid" => \&dump_guid,
"pwdLastSet" => \&dump_nttime,
"pwdProperties" => \&dump_pwdproperties,
"sAMAccountType" => \&dump_atype,
"systemFlags" => \&dump_systemflags,
"supportedControl", => \&dump_controls,
"sDRightsEffective" => \&dump_sdeffective,
"securityIdentifier" => \&dump_sid,
"serverState" => \&dump_serverstate,
"supportedCapabilities", => \&dump_capabilities,
"supportedControl", => \&dump_controls,
"supportedExtension", => \&dump_extension,
"systemFlags" => \&dump_systemflags,
"tokenGroups", => \&dump_sid,
"tokenGroupsGlobalAndUniversal" => \&dump_sid,
"trustAttributes" => \&dump_trustattr,
"trustDirection" => \&dump_trustdirection,
"trustType" => \&dump_trusttype,
"uASCompat" => \&dump_uascompat,
"userAccountControl" => \&dump_uac,
"msDS-User-Account-Control-Computed" => \&dump_uacc,
"userCertificate" => \&dump_cert,
"userFlags" => \&dump_uf,
"userParameters" => \&dump_munged_dial,
"whenChanged" => \&dump_timestr,
"whenCreated" => \&dump_timestr,
# "dSCorePropagationData" => \&dump_timestr,
);
@ -347,7 +476,8 @@ my %attr_handler = (
################
sub usage {
print "usage: $0 [--base|-b base] [--debug level] [--debug level] [--DN|-D binddn] [--extendeddn|-e] [--help] [--host|-h host] [--machine|-P] [--metadata|-m] [--nodiffs] [--notify|-n] [--password|-w password] [--port port] [--rawdisplay] [--realm|-R realm] [--rootdse] [--saslmech|-Y saslmech] [--schema|-c] [--scope|-s scope] [--simpleauth|-x] [--starttls|-Z] [--user|-U user] [--wknguid] [--workgroup|-k workgroup] filter [attrs]\n";
print "usage: $0 [--asq] [--base|-b base] [--debug level] [--debug level] [--DN|-D binddn] [--extendeddn|-e] [--help] [--host|-h host] [--machine|-P] [--metadata|-m] [--nodiffs] [--notify|-n] [--password|-w password] [--port port] [--rawdisplay] [--realm|-R realm] [--rootdse] [--saslmech|-Y saslmech] [--schema|-c] [--scope|-s scope] [--simpleauth|-x] [--starttls|-Z] [--user|-U user] [--wknguid] [--workgroup|-k workgroup] filter [attrs]\n";
print "\t--asq [attribute]\n\t\tAttribute to use for a attribute scoped query (LDAP_SERVER_ASQ_OID)\n";
print "\t--base|-b [base]\n\t\tUse base [base]\n";
print "\t--debug [level]\n\t\tUse debuglevel (for Net::LDAP)\n";
print "\t--DN|-D [binddn]\n\t\tUse binddn or principal\n";
@ -547,6 +677,8 @@ sub prompt_user {
}
sub check_ticket {
return 0;
# works only for heimdal
return system("$klist -t");
}
@ -740,18 +872,32 @@ sub parse_ads_h {
chomp($line);
if ($line =~ /#define.UF.*0x/) {
my ($tmp, $name, $val) = split(/\s+/,$line);
next if ($name =~ /UNUSED/);
next if ($name =~ /UNUSED/);
# $ads_uf{$name} = sprintf("%d", hex $val);
$ads_uf{$name} = hex $val;
}
if ($line =~ /#define.GTYPE.*0x/) {
if ($line =~ /#define.GROUP_TYPE.*0x/) {
my ($tmp, $name, $val) = split(/\s+/,$line);
$ads_gtype{$name} = hex $val;
$ads_grouptype{$name} = hex $val;
}
if ($line =~ /#define.ATYPE.*0x/) {
my ($tmp, $name, $val) = split(/\s+/,$line);
$ads_atype{$name} =
(exists $ads_atype{$val}) ? $ads_atype{$val} : hex $val;
}
if ($line =~ /#define.GTYPE.*0x/) {
my ($val, $i);
my ($tmp, $name, @val) = split(/\s+/,$line);
foreach my $tempval (@val) {
if ($tempval =~ /^0x/) {
$val = $tempval;
last;
}
}
next if (!$val);
$ads_gtype{$name} = sprintf("%d", hex $val);
}
}
close(ADSH);
}
@ -825,52 +971,12 @@ sub display_result_diff ($) {
sub sid2string ($) {
# Fix from Michael James <michael@james.st>
my $binary_sid = shift;
my $inbuf2;
my $sid_rev; # [1]
my $num_auths; # [1]
my @id_auth; # [6]
my @sub_auths;
my $subauth; # [16]
my $sid_strout;
my $ia;
my $tmp_sid = unpack 'H*', $binary_sid;
# split the binary string
($sid_rev, $num_auths,
$id_auth[0], $id_auth[1], $id_auth[2], $id_auth[3], $id_auth[4], $id_auth[5],
$sub_auths[0], $sub_auths[1], $sub_auths[2], $sub_auths[3], $sub_auths[4], $inbuf2)
= unpack 'H2 H2 H2 H2 H2 H2 H2 H2 h8 h8 h8 h8 h8 h*',"$binary_sid";
# don't ask...
for ( my $i = 0; $i < $num_auths; $i++ ) {
$sub_auths[$i] = reverse $sub_auths[$i];
}
# build the identifier authority
if ( ($id_auth[0] != 0) || ($id_auth[1] != 0) ) {
$ia = $id_auth[0].
$id_auth[1].
$id_auth[2].
$id_auth[3].
$id_auth[4].
$id_auth[5];
} else {
$ia = ($id_auth[5]) +
($id_auth[4] << 8) +
($id_auth[3] << 16) +
($id_auth[2] << 24);
}
# build the sid
$sid_strout = sprintf("S-%lu-%lu",hex($sid_rev),hex($ia));
for (my $i = 0; $i < $num_auths; $i++ ) {
$sid_strout .= sprintf( "-%lu", hex($sub_auths[$i]) );
}
return $sid_strout;
my($sid_rev, $num_auths, $id1, $id2, @ids) = unpack("H2 H2 n N V*", $binary_sid);
my $sid_string = join("-", "S", hex($sid_rev), ($id1<<32)+$id2, @ids);
return $sid_string;
}
sub string_to_guid {
@ -959,9 +1065,10 @@ sub gen_bitmask_string_format($%) {
foreach my $key (sort keys %tmp) {
push(@list, sprintf("%s %s", $tmp{$key}, $key));
}
return join("\n$mod\t\t\t",@list);
return join("\n$mod$tabsize",@list);
}
sub nt_to_unixtime ($) {
# the number of 100 nanosecond intervals since jan. 1. 1601 (utc)
my $t64 = shift;
@ -994,7 +1101,7 @@ sub dump_bitmask {
my (%header) = @_;
my %tmp;
$tmp{""} = $val;
foreach my $key (sort keys %header) {
foreach my $key (sort keys %header) { # sort by val !
if ($op eq "&") {
$tmp{$key} = ( $val & $header{$key} ) ? $set:$unset;
} elsif ($op eq "==") {
@ -1019,6 +1126,18 @@ sub dump_uac {
return dump_bitmask_and(@_,%ads_uf); # ads_uf ?
}
sub dump_uascompat {
return dump_bitmask_equal(@_,%ads_uascompat);
}
sub dump_gpoptions {
return dump_bitmask_equal(@_,%ads_gpoptions);
}
sub dump_gpflags {
return dump_bitmask_equal(@_,%ads_gpflags);
}
sub dump_uacc {
return dump_bitmask_equal(@_,%ads_uacc);
}
@ -1028,7 +1147,10 @@ sub dump_uf {
}
sub dump_gtype {
return dump_bitmask_and(@_,%ads_gtype);
my $ret = dump_bitmask_and(@_,%ads_grouptype);
$ret .= "\n$tabsize\t";
$ret .= dump_bitmask_equal(@_,%ads_gtype);
return $ret;
}
sub dump_atype {
@ -1059,6 +1181,34 @@ sub dump_ds_func {
return dump_bitmask_equal(@_,%ads_ds_func);
}
sub dump_serverstate {
return dump_bitmask_equal(@_,%ads_serverstate);
}
sub dump_sdeffective {
return dump_bitmask_and(@_,%ads_sdeffective);
}
sub dump_trustattr {
return dump_bitmask_equal(@_,%ads_trustattrs);
}
sub dump_trusttype {
return dump_bitmask_equal(@_,%ads_trusttype);
}
sub dump_trustdirection {
return dump_bitmask_equal(@_,%ads_trustdirection);
}
sub dump_pwdproperties {
return dump_bitmask_and(@_,%ads_pwdproperties);
}
sub dump_frstype {
return dump_bitmask_equal(@_,%ads_frstypes)
}
sub dump_mixed_domain {
return dump_bitmask_equal(@_,%ads_mixed_domain);
}
@ -1100,6 +1250,9 @@ sub dump_nttime_abs {
sub dump_timestr {
my $time = shift;
if ($time eq "16010101000010.0Z") {
return sprintf("%s (%s)", "never", $time);
}
my ($year,$mon,$mday,$hour,$min,$sec,$zone) =
unpack('a4 a2 a2 a2 a2 a2 a4', $time);
$mon -= 1;
@ -1120,6 +1273,37 @@ sub dump_munged_dial {
return "FIXME! decode this";
}
sub dump_cert {
my $cert = shift;
open(OPENSSL, "| /usr/bin/openssl x509 -text -inform der");
print OPENSSL $cert;
close(OPENSSL);
return "";
}
sub dump_pkt {
my $pkt = shift;
return "not yet";
printf("%s: ", $pkt);
printf("%02X", $pkt);
}
sub dump_gplink {
my $gplink = shift;
my $gplink_mod = $gplink;
my @links = split("\\]\\[", $gplink_mod);
foreach my $link (@links) {
$link =~ s/^\[|\]$//g;
my ($ldap_link, $opt) = split(";", $link);
my @array = ( "$opt", "\t" );
printf("%slink: %s, opt: %s\n", $tabsize, $ldap_link, dump_bitmask_and(@array, %ads_gplink_opts));
}
return $gplink;
}
sub construct_filter {
my $tmp = shift;
@ -1154,10 +1338,12 @@ sub construct_attrs {
push(@attrs,"replPropertyMetaData");
}
push(@attrs,"nTSecurityDescriptor");
push(@attrs,"msDS-KeyVersionNumber");
push(@attrs,"msDS-User-Account-Control-Computed");
push(@attrs,"modifyTimeStamp");
if ($opt_verbose) {
push(@attrs,"nTSecurityDescriptor");
push(@attrs,"msDS-KeyVersionNumber");
push(@attrs,"msDS-User-Account-Control-Computed");
push(@attrs,"modifyTimeStamp");
}
return sort @attrs;
}
@ -1183,29 +1369,50 @@ sub print_header {
sub gen_controls {
my $asn = Convert::ASN1->new;
$asn->prepare(
# setup attribute-scoped query control
my $asq_asn = Convert::ASN1->new;
$asq_asn->prepare(
q< asq ::= SEQUENCE {
sourceAttribute OCTET_STRING
}
>
);
my $ctl_asq_val = $asq_asn->encode( sourceAttribute => $opt_asq);
my $ctl_asq = Net::LDAP::Control->new(
type => $ads_controls{'LDAP_SERVER_ASQ_OID'},
critical => 'true',
value => $ctl_asq_val);
# setup extended dn control
my $asn_extended_dn = Convert::ASN1->new;
$asn_extended_dn->prepare(
q< ExtendedDn ::= SEQUENCE {
mode INTEGER
}
>
);
my $ctl_extended_dn_val = $asn->encode( mode => '1');
my $ctl_extended_dn_val = $asn_extended_dn->encode( mode => '1');
my $ctl_extended_dn =Net::LDAP::Control->new(
type => $ads_controls{'LDAP_SERVER_EXTENDED_DN_OID'},
critical => 'true',
value => $ctl_extended_dn_val);
# setup notify control
my $ctl_notification = Net::LDAP::Control->new(
type => $ads_controls{'LDAP_SERVER_NOTIFICATION_OID'},
critical => 'true');
# setup paging control
$ctl_paged = Net::LDAP::Control->new(
type => $ads_controls{'LDAP_PAGED_RESULT_OID_STRING'},
critical => 'true',
size => $page_size);
if ($paging) {
push(@ctrls, $ctl_paged);
push(@ctrls_s, "LDAP_PAGED_RESULT_OID_STRING" );
@ -1220,6 +1427,11 @@ sub gen_controls {
push(@ctrls_s, "LDAP_SERVER_NOTIFICATION_OID");
}
if ($opt_asq) {
push(@ctrls, $ctl_asq);
push(@ctrls_s, "LDAP_SERVER_ASQ_OID");
}
return @ctrls;
}
@ -1244,7 +1456,7 @@ sub display_attr_generic ($$$) {
my $ref = $entry->get_value($attr, asref => 1);
my @values = @$ref;
foreach my $value (@values) {
foreach my $value ( sort @values) {
display_value_generic($mod,$attr,$value);
}
}
@ -1254,14 +1466,14 @@ sub display_entry_generic ($) {
my $entry = shift;
return if (!$entry);
foreach my $attr ( $entry->attributes) {
foreach my $attr ( sort $entry->attributes) {
display_attr_generic("\t",$entry,$attr);
}
}
sub display_ldap_err ($) {
my $msg = shift;
my $msg = shift;
print_header();
my ($package, $filename, $line, $subroutine) = caller(0);
@ -1342,6 +1554,11 @@ sub notify_callback {
while (1) {
my $async_entry = $async_search->pop_entry;
if (!$async_entry->dn) {
print "very weird. entry has no dn\n";
next;
}
printf("\ngot changenotify for dn: [%s]\n%s\n", $async_entry->dn, ("-" x 80));
@ -1450,7 +1667,7 @@ sub main () {
if ($opt_notify) {
print "[$base] is registered now for change-notify\n";
print "Base [$base] is registered now for change-notify\n";
print "\nWaiting for change-notify...\n";
my $sync_ldap_hd = get_ldap_hd($server,0);