3 # Copyright Stefan Metzmacher 2011-2012
5 # This program is free software; you can redistribute it and/or modify
6 # it under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 3 of the License, or
8 # (at your option) any later version.
10 # This program is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 # GNU General Public License for more details.
15 # You should have received a copy of the GNU General Public License
16 # along with this program. If not, see <http://www.gnu.org/licenses/>.
18 # This is useful to sync passwords from an AD domain.
21 # $ source4/scripting/devel/repl_cleartext_pwd.py \
22 # -Uadministrator%A1b2C3d4 \
23 # 172.31.9.219 DC=bla,DC=base /tmp/cookie cleartext_utf8 131085 displayName
24 # # starting at usn[0]
25 # dn: CN=Test User1,CN=Users,DC=bla,DC=base
26 # cleartext_utf8: A1b2C3d4
27 # displayName:: VABlAHMAdAAgAFUAcwBlAHIAMQA=
31 # $ source4/scripting/devel/repl_cleartext_pwd.py \
32 # -Uadministrator%A1b2C3d4
33 # 172.31.9.219 DC=bla,DC=base cookie_file cleartext_utf8 131085 displayName
34 # # starting at usn[16449]
41 # Find right direction when running from source tree
42 sys.path.insert(0, "bin/python")
44 import samba.getopt as options
45 from optparse import OptionParser
47 from samba.dcerpc import drsuapi, drsblobs, misc
48 from samba.ndr import ndr_pack, ndr_unpack, ndr_print
52 import Crypto.Cipher.ARC4
56 from ldif import LDIFWriter
61 self.ldif = LDIFWriter(sys.stdout)
63 def add_attr(self, dn, attname, vals):
64 if dn not in self.global_objs:
65 self.global_objs[dn] = {}
66 self.global_objs[dn][attname] = vals
69 for dn, obj in self.global_objs.items():
70 self.ldif.unparse(dn, obj)
74 ########### main code ###########
75 if __name__ == "__main__":
76 parser = OptionParser("repl_cleartext_pwd.py [options] server dn cookie_file cleartext_name [attid attname]")
77 sambaopts = options.SambaOptions(parser)
78 credopts = options.CredentialsOptions(parser)
79 parser.add_option_group(credopts)
81 (opts, args) = parser.parse_args()
83 if len(args) < 4 or len(args) == 5:
84 parser.error("more arguments required")
89 if len(cookie_file) == 0:
91 cleartext_name = args[3]
99 lp = sambaopts.get_loadparm()
100 creds = credopts.get_credentials(lp)
102 if not creds.authentication_requested():
103 parser.error("You must supply credentials")
107 f = open(cookie_file, 'r')
108 store_blob = f.read()
111 store_hdr = store_blob[0:28]
113 store_dn_len, store_dn_ofs, \
114 store_hwm_len, store_hwm_ofs, \
115 store_utdv_len, store_utdv_ofs) = \
116 struct.unpack("<LLLLLLL", store_hdr)
118 store_dn = store_blob[store_dn_ofs:store_dn_ofs+store_dn_len]
119 store_hwm_blob = store_blob[store_hwm_ofs:store_hwm_ofs+store_hwm_len]
120 store_utdv_blob = store_blob[store_utdv_ofs:store_utdv_ofs+store_utdv_len]
122 store_hwm = ndr_unpack(drsuapi.DsReplicaHighWaterMark, store_hwm_blob)
123 store_utdv = ndr_unpack(drsblobs.replUpToDateVectorBlob, store_utdv_blob)
125 assert store_dn == dn
126 #print "%s" % ndr_print(store_hwm)
127 #print "%s" % ndr_print(store_utdv)
130 store_hwm = drsuapi.DsReplicaHighWaterMark()
131 store_hwm.tmp_highest_usn = 0
132 store_hwm.reserved_usn = 0
133 store_hwm.highest_usn = 0
136 binding_str = "ncacn_ip_tcp:%s[spnego,seal]" % server
138 drs_conn = drsuapi.drsuapi(binding_str, lp, creds)
140 bind_info = drsuapi.DsBindInfoCtr()
141 bind_info.length = 28
142 bind_info.info = drsuapi.DsBindInfo28()
143 bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_BASE
144 bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_ASYNC_REPLICATION
145 bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_REMOVEAPI
146 bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_MOVEREQ_V2
147 bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GETCHG_COMPRESS
148 bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V1
149 bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_RESTORE_USN_OPTIMIZATION
150 bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_KCC_EXECUTE
151 bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY_V2
152 bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_LINKED_VALUE_REPLICATION
153 bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V2
154 bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_INSTANCE_TYPE_NOT_REQ_ON_MOD
155 bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_CRYPTO_BIND
156 bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GET_REPL_INFO
157 bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_STRONG_ENCRYPTION
158 bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V01
159 bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_TRANSITIVE_MEMBERSHIP
160 bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_ADD_SID_HISTORY
161 bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_POST_BETA3
162 bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GET_MEMBERSHIPS2
163 bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V6
164 bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_NONDOMAIN_NCS
165 bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V8
166 bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V5
167 bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V6
168 bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_ADDENTRYREPLY_V3
169 bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V7
170 bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_VERIFY_OBJECT
171 (info, drs_handle) = drs_conn.DsBind(misc.GUID(drsuapi.DRSUAPI_DS_BIND_GUID), bind_info)
173 null_guid = misc.GUID()
175 naming_context = drsuapi.DsReplicaObjectIdentifier()
176 naming_context.dn = dn
177 highwatermark = store_hwm
178 uptodateness_vector = None
179 if store_utdv is not None:
180 uptodateness_vector = drsuapi.DsReplicaCursorCtrEx()
181 if store_utdv.version == 1:
182 uptodateness_vector.cursors = store_utdv.cursors
183 elif store_utdv.version == 2:
185 for i in range(0, store_utdv.ctr.count):
186 cursor = drsuapi.DsReplicaCursor()
187 cursor.source_dsa_invocation_id = store_utdv.ctr.cursors[i].source_dsa_invocation_id
188 cursor.highest_usn = store_utdv.ctr.cursors[i].highest_usn
189 cursors.append(cursor)
190 uptodateness_vector.cursors = cursors
192 req8 = drsuapi.DsGetNCChangesRequest8()
194 req8.destination_dsa_guid = null_guid
195 req8.source_dsa_invocation_id = null_guid
196 req8.naming_context = naming_context
197 req8.highwatermark = highwatermark
198 req8.uptodateness_vector = uptodateness_vector
199 req8.replica_flags = (drsuapi.DRSUAPI_DRS_INIT_SYNC |
200 drsuapi.DRSUAPI_DRS_PER_SYNC |
201 drsuapi.DRSUAPI_DRS_GET_ANC |
202 drsuapi.DRSUAPI_DRS_NEVER_SYNCED |
203 drsuapi.DRSUAPI_DRS_WRIT_REP)
204 req8.max_object_count = 402
205 req8.max_ndr_size = 402116
208 req8.partial_attribute_set = None
209 req8.partial_attribute_set_ex = None
210 req8.mapping_ctr.num_mappings = 0
211 req8.mapping_ctr.mappings = None
213 user_session_key = drs_conn.user_session_key
215 print "# starting at usn[%d]" % (highwatermark.highest_usn)
218 (level, ctr) = drs_conn.DsGetNCChanges(drs_handle, 8, req8)
219 if ctr.first_object == None and ctr.object_count != 0:
220 raise RuntimeError("DsGetNCChanges: NULL first_object with object_count=%u" % (ctr.object_count))
222 obj_item = ctr.first_object
223 while obj_item is not None:
224 obj = obj_item.object
226 if obj.identifier is None:
227 obj_item = obj_item.next_object
230 #print '%s' % obj.identifier.dn
233 for i in range(0, obj.attribute_ctr.num_attributes):
234 attr = obj.attribute_ctr.attributes[i]
235 if attr.attid == drsuapi.DRSUAPI_ATTID_isDeleted:
238 obj_item = obj_item.next_object
243 for i in range(0, obj.attribute_ctr.num_attributes):
244 attr = obj.attribute_ctr.attributes[i]
245 if attr.attid == attid:
247 for j in range(0, attr.value_ctr.num_values):
248 assert attr.value_ctr.values[j].blob is not None
249 attvals.append(attr.value_ctr.values[j].blob)
250 if attr.attid != drsuapi.DRSUAPI_ATTID_supplementalCredentials:
252 assert attr.value_ctr.num_values <= 1
253 if attr.value_ctr.num_values == 0:
255 assert attr.value_ctr.values[0].blob is not None
256 spl_crypt = attr.value_ctr.values[0].blob
259 if spl_crypt is None:
260 obj_item = obj_item.next_object
263 assert len(spl_crypt) >= 20
264 confounder = spl_crypt[0:16]
265 enc_buffer = spl_crypt[16:]
268 m5.update(user_session_key)
269 m5.update(confounder)
270 enc_key = m5.digest()
272 rc4 = Crypto.Cipher.ARC4.new(enc_key)
273 plain_buffer = rc4.decrypt(enc_buffer)
275 (crc32_v) = struct.unpack("<L", plain_buffer[0:4])
276 attr_val = plain_buffer[4:]
277 crc32_c = binascii.crc32(attr_val) & 0xffffffff
278 assert int(crc32_v[0]) == int(crc32_c), "CRC32 0x%08X != 0x%08X" % (crc32_v[0], crc32_c)
280 spl = ndr_unpack(drsblobs.supplementalCredentialsBlob, attr_val)
282 #print '%s' % ndr_print(spl)
286 for i in range(0, spl.sub.num_packages):
287 pkg = spl.sub.packages[i]
288 if pkg.name != "Primary:CLEARTEXT":
290 cleartext_hex = pkg.data
292 if cleartext_hex is not None:
293 cleartext_utf16 = binascii.a2b_hex(cleartext_hex)
294 cleartext_unicode = unicode(cleartext_utf16, 'utf-16-le')
295 cleartext_utf8 = cleartext_unicode.encode('utf-8')
297 gls.add_attr(obj.identifier.dn, cleartext_name, [cleartext_utf8])
299 if attvals is not None:
300 gls.add_attr(obj.identifier.dn, attname, attvals)
304 for i in range(0, spl.sub.num_packages):
305 pkg = spl.sub.packages[i]
306 if pkg.name != "Primary:Kerberos":
308 krb5_old_hex = pkg.data
310 if krb5_old_hex is not None:
311 krb5_old_raw = binascii.a2b_hex(krb5_old_hex)
312 krb5_old = ndr_unpack(drsblobs.package_PrimaryKerberosBlob, krb5_old_raw, allow_remaining=True)
314 #print '%s' % ndr_print(krb5_old)
318 for i in range(0, spl.sub.num_packages):
319 pkg = spl.sub.packages[i]
320 if pkg.name != "Primary:Kerberos-Newer-Keys":
322 krb5_new_hex = pkg.data
324 if krb5_new_hex is not None:
325 krb5_new_raw = binascii.a2b_hex(krb5_new_hex)
326 krb5_new = ndr_unpack(drsblobs.package_PrimaryKerberosBlob, krb5_new_raw, allow_remaining=True)
328 #print '%s' % ndr_print(krb5_new)
330 obj_item = obj_item.next_object
334 if ctr.more_data == 0:
335 store_hwm = ctr.new_highwatermark
337 store_utdv = drsblobs.replUpToDateVectorBlob()
338 store_utdv.version = ctr.uptodateness_vector.version
339 store_utdv_ctr = store_utdv.ctr
340 store_utdv_ctr.count = ctr.uptodateness_vector.count
341 store_utdv_ctr.cursors = ctr.uptodateness_vector.cursors
342 store_utdv.ctr = store_utdv_ctr
344 #print "%s" % ndr_print(store_hwm)
345 #print "%s" % ndr_print(store_utdv)
347 store_hwm_blob = ndr_pack(store_hwm)
348 store_utdv_blob = ndr_pack(store_utdv)
351 # uint32_t version '1'
352 # uint32_t dn_str_len
353 # uint32_t dn_str_ofs
354 # uint32_t hwm_blob_len
355 # uint32_t hwm_blob_ofs
356 # uint32_t utdv_blob_len
357 # uint32_t utdv_blob_ofs
358 store_hdr_len = 7 * 4
359 dn_ofs = store_hdr_len
360 hwm_ofs = dn_ofs + len(dn)
361 utdv_ofs = hwm_ofs + len(store_hwm_blob)
362 store_blob = struct.pack("<LLLLLLL", 1, \
364 len(store_hwm_blob), hwm_ofs, \
365 len(store_utdv_blob), utdv_ofs) + \
366 dn + store_hwm_blob + store_utdv_blob
368 tmp_file = "%s.tmp" % cookie_file
369 f = open(tmp_file, 'wb')
372 os.rename(tmp_file, cookie_file)
374 print "# up to usn[%d]" % (ctr.new_highwatermark.highest_usn)
376 print "# up to tmp_usn[%d]" % (ctr.new_highwatermark.highest_usn)
377 req8.highwatermark.tmp_highest_usn = ctr.new_highwatermark.tmp_highest_usn