The Samba-Bugzilla – Attachment 10241 Details for
Bug 9629
Since version 3.0.33-3.29.el5_5.1 the binary /usr/bin/profiles does not work.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
TODO: samba-tool replace-binary-sid
tmp.diff (text/plain), 8.82 KB, created by
Stefan Metzmacher
on 2014-09-01 07:06:24 UTC
(
hide
)
Description:
TODO: samba-tool replace-binary-sid
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2014-09-01 07:06:24 UTC
Size:
8.82 KB
patch
obsolete
>From a1f930ddbd4f43376829569441c7de4b920d9e02 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 17 Apr 2013 14:02:09 +0200 >Subject: [PATCH 1/3] samba-tool: add 'replace-binary-sid' command > >This is a replacement for the broken 'profiles' utility. > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > python/samba/netcmd/main.py | 2 + > python/samba/netcmd/replace_binary_sid.py | 111 +++++++++++++++++++++++++++++ > 2 files changed, 113 insertions(+) > create mode 100755 python/samba/netcmd/replace_binary_sid.py > >diff --git a/python/samba/netcmd/main.py b/python/samba/netcmd/main.py >index 5f788235..4246364 100644 >--- a/python/samba/netcmd/main.py >+++ b/python/samba/netcmd/main.py >@@ -39,6 +39,7 @@ from samba.netcmd.time import cmd_time > from samba.netcmd.user import cmd_user > from samba.netcmd.vampire import cmd_vampire > from samba.netcmd.processes import cmd_processes >+from samba.netcmd.replace_binary_sid import cmd_replace_binary_sid > > > class cmd_sambatool(SuperCommand): >@@ -68,3 +69,4 @@ class cmd_sambatool(SuperCommand): > subcommands["user"] = cmd_user() > subcommands["vampire"] = cmd_vampire() > subcommands["processes"] = cmd_processes() >+ subcommands["replace-binary-sid"] = cmd_replace_binary_sid() >diff --git a/python/samba/netcmd/replace_binary_sid.py b/python/samba/netcmd/replace_binary_sid.py >new file mode 100755 >index 0000000..3640574 >--- /dev/null >+++ b/python/samba/netcmd/replace_binary_sid.py >@@ -0,0 +1,111 @@ >+# >+# Copyright Stefan Metzmacher metze@samba.org 2013 >+# >+# This program is free software; you can redistribute it and/or modify >+# it under the terms of the GNU General Public License as published by >+# the Free Software Foundation; either version 3 of the License, or >+# (at your option) any later version. >+# >+# This program is distributed in the hope that it will be useful, >+# but WITHOUT ANY WARRANTY; without even the implied warranty of >+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+# GNU General Public License for more details. >+# >+# You should have received a copy of the GNU General Public License >+# along with this program. If not, see <http://www.gnu.org/licenses/>. >+# >+ >+# >+# Tool to replace SID's in binary NDR format within a file. >+# This can be used for NTUSER.dat files, when migrating >+# roaming profiles to a new domain. >+# >+ >+import os >+from samba.dcerpc import security >+from samba.ndr import ndr_pack >+import samba.getopt as options >+from samba.netcmd import ( >+ Command, >+ CommandError, >+ Option >+ ) >+ >+class cmd_replace_binary_sid(Command): >+ """Replace a binary (NDR) encoded SID in a file (e.g. NTUSER.dat).""" >+ >+ synopsis = "%prog <oldfile> <oldsid> <newfile> <newsid> [options]" >+ >+ takes_optiongroups = { >+ "versionopts": options.VersionOptions, >+ } >+ >+ takes_options = [ >+ Option("--verbose", dest="verbose", action="store_true") >+ ] >+ >+ takes_args = ["oldfile", "oldsid", "newfile", "newsid"] >+ >+ def run(self, old_file_path, old_sid_str, new_file_path, new_sid_str, >+ versionopts=None, verbose=False): >+ try: >+ old_sid = security.dom_sid(old_sid_str) >+ except Exception, err: >+ raise CommandError("oldsid[%s] invalid" % (old_sid_str)) >+ old_bin = ndr_pack(old_sid) >+ try: >+ new_sid = security.dom_sid(new_sid_str) >+ except Exception, err: >+ raise CommandError("newsid[%s] invalid" % (new_sid_str)) >+ new_bin = ndr_pack(new_sid) >+ >+ if old_file_path == new_file_path: >+ raise CommandError("old_file_path should not match new_file_path") >+ >+ if len(old_bin) != len(new_bin): >+ raise CommandError("The binary size of oldsid(%d) != newsid(%d)" \ >+ % (len(old_bin), len(new_bin))) >+ >+ blen = len(old_bin) >+ if blen < 24: >+ raise CommandError("The binary size of oldsid(%d) < 24" \ >+ % (len(old_bin))) >+ >+ try: >+ old_fd = os.open(old_file_path, os.O_RDONLY) >+ except Exception, err: >+ raise CommandError(err) >+ old_st = os.fstat(old_fd) >+ new_flags = os.O_WRONLY|os.O_CREAT|os.O_NOFOLLOW|os.O_EXCL >+ new_mode = old_st.st_mode >+ try: >+ new_fd = os.open(new_file_path, new_flags, new_mode) >+ except Exception, err: >+ raise CommandError(err) >+ old_file = os.fdopen(old_fd, 'r') >+ old_bytes = old_file.read() >+ old_file.close() >+ >+ new_bytes = "" >+ ofs = 0 >+ remaining = len(old_bytes) - ofs >+ while remaining >= blen: >+ if old_bytes[ofs:ofs+blen] == old_bin: >+ if verbose: >+ print "replacing at offset[%d]" % (ofs) >+ new_bytes += new_bin >+ ofs += blen >+ else: >+ new_bytes += old_bytes[ofs:ofs+1] >+ ofs += 1 >+ remaining = len(old_bytes) - ofs >+ >+ if remaining > 0: >+ new_bytes += old_bytes[ofs:ofs+remaining] >+ ofs += remaining >+ >+ new_file = os.fdopen(new_fd, 'w') >+ new_file.write(new_bytes) >+ new_file.close() >+ >+ return >-- >1.7.9.5 > > >From 3428a3868b1a7a718896f859cb45b6c2971b337a Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 6 Mar 2013 09:40:36 +0100 >Subject: [PATCH 2/3] s3:utils/profiles: fix a compiler warning > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > source3/utils/profiles.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > >diff --git a/source3/utils/profiles.c b/source3/utils/profiles.c >index 30c6ad0..51e63d4 100644 >--- a/source3/utils/profiles.c >+++ b/source3/utils/profiles.c >@@ -194,7 +194,7 @@ static bool copy_registry_tree( REGF_FILE *infile, REGF_NK_REC *nk, > /********************************************************************* > *********************************************************************/ > >-int main( int argc, char *argv[] ) >+int main(int argc, const char *argv[]) > { > TALLOC_CTX *frame = talloc_stackframe(); > int opt; >@@ -218,7 +218,7 @@ int main( int argc, char *argv[] ) > > setup_logging( "profiles", DEBUG_STDERR); > >- pc = poptGetContext("profiles", argc, (const char **)argv, long_options, >+ pc = poptGetContext("profiles", argc, argv, long_options, > POPT_CONTEXT_KEEP_FIRST); > > poptSetOtherOptionHelp(pc, "<profilefile>"); >-- >1.7.9.5 > > >From 89e4ac59314961964522203a4370cb9c19f38e18 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 17 Apr 2013 14:07:02 +0200 >Subject: [PATCH 3/3] s3:utils/profiles: add --really-force option and warn > about data corruption (bug #9629) > >While trying to fix the problem from bug #9629, I found that >the profiles tool completely corrupts the new NTUSER.dat file, >there're missing keys and values (regdiff show differences) >and the resulting file is much smaller than the original file. > >Instead of trying to fix the security descriptors on registry level, >it's much easier and safer to just replace the binary SID values >within the NTUSER.dat file. > >We keep the profiles binary, so that admins get pointed to >'samba-tool replace-binary-sids'. > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > source3/utils/profiles.c | 17 +++++++++++++++++ > 1 file changed, 17 insertions(+) > >diff --git a/source3/utils/profiles.c b/source3/utils/profiles.c >index 51e63d4..1aad280 100644 >--- a/source3/utils/profiles.c >+++ b/source3/utils/profiles.c >@@ -201,11 +201,16 @@ int main(int argc, const char *argv[]) > REGF_FILE *infile, *outfile; > REGF_NK_REC *nk; > char *orig_filename, *new_filename; >+ enum { >+ OPT_REALLY_FORCE = 1000 >+ }; >+ bool really_force = false; > struct poptOption long_options[] = { > POPT_AUTOHELP > { "change-sid", 'c', POPT_ARG_STRING, NULL, 'c', "Provides SID to change" }, > { "new-sid", 'n', POPT_ARG_STRING, NULL, 'n', "Provides SID to change to" }, > { "verbose", 'v', POPT_ARG_NONE, &opt_verbose, 'v', "Verbose output" }, >+ { "really-force", 0, POPT_ARG_NONE, NULL, OPT_REALLY_FORCE, "ignore corruption warning" }, > POPT_COMMON_SAMBA > POPT_COMMON_VERSION > POPT_TABLEEND >@@ -245,6 +250,9 @@ int main(int argc, const char *argv[]) > } > break; > >+ case OPT_REALLY_FORCE: >+ really_force = true; >+ break; > } > } > >@@ -255,6 +263,15 @@ int main(int argc, const char *argv[]) > exit(1); > } > >+ if (!really_force) { >+ poptPrintUsage(pc, stderr, 0); >+ fprintf(stderr, "WARNING!!!\n"); >+ fprintf(stderr, "This tool has known bugs which corrupt the output file!\n"); >+ fprintf(stderr, "Better use 'samba-tool replace-binary-sid' to modify your NTUSER.dat\n"); >+ fprintf(stderr, "or use the --really-force option if you want corrupted data.\n"); >+ exit(252); >+ } >+ > if ((!change && new_val) || (change && !new_val)) { > fprintf(stderr, "You must specify both -c and -n if one or the other is set!\n"); > poptPrintUsage(pc, stderr, 0); >-- >1.7.9.5 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 9629
:
10241
|
10405
|
10494