From c32197dd22587d58dfd5c2c129c402e22e1c9ef7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Mon, 19 Dec 2005 02:15:13 +0000 Subject: r12336: A couple of fixes and enhancements for adssearch.pl (espc. to debug GPOs). sid2string fix from Michael James . Guenther (This used to be commit 9424b65c70bd24ba8f5b6c729dc1440a4dbf5647) --- examples/misc/adssearch.pl | 369 +++++++++++++++++++++++++++++++++++---------- 1 file changed, 293 insertions(+), 76 deletions(-) (limited to 'examples/misc') diff --git a/examples/misc/adssearch.pl b/examples/misc/adssearch.pl index 9bfc9e8a055..f9a7f949262 100755 --- a/examples/misc/adssearch.pl +++ b/examples/misc/adssearch.pl @@ -55,6 +55,7 @@ my $realm = ""; # parse input my ( + $opt_asq, $opt_base, $opt_binddn, $opt_debug, @@ -77,10 +78,12 @@ my ( $opt_simpleauth, $opt_starttls, $opt_user, + $opt_verbose, $opt_workgroup, ); GetOptions( + 'asq=s' => \$opt_asq, 'base|b=s' => \$opt_base, 'D|DN=s' => \$opt_binddn, 'debug=i' => \$opt_debug, @@ -102,6 +105,7 @@ GetOptions( 'simpleauth|x' => \$opt_simpleauth, 'tls|Z' => \$opt_starttls, 'user|U=s' => \$opt_user, + 'verbose|v' => \$opt_verbose, 'wknguid' => \$opt_dump_wknguid, 'workgroup|k=s' => \$opt_workgroup, ); @@ -129,11 +133,12 @@ my ($sasl_hd, $async_ldap_hd, $sync_ldap_hd); my ($mesg, $usn); my (%entry_store); my $async_search; -my (%ads_atype, %ads_gtype, %ads_uf); +my (%ads_atype, %ads_gtype, %ads_grouptype, %ads_uf); # fixed values and vars my $set = "X"; my $unset = "-"; +my $tabsize = "\t\t\t"; # get defaults my $scope = $opt_scope || "sub"; @@ -219,9 +224,112 @@ my %ads_instance_type = ( ); my %ads_uacc = ( - "ACCOUNT_NEVER_EXPIRES" => 0x000000, # 0 - "ACCOUNT_OK" => 0x800000, # 8388608 - "ACCOUNT_LOCKED_OUT" => 0x800010, # 8388624 + "ACCOUNT_NEVER_EXPIRES" => 0x000000, # 0 + "ACCOUNT_OK" => 0x800000, # 8388608 + "ACCOUNT_LOCKED_OUT" => 0x800010, # 8388624 +); + +my %ads_gpoptions = ( + "GPOPTIONS_INHERIT" => 0, + "GPOPTIONS_BLOCK_INHERITANCE" => 1, +); + +my %ads_gplink_opts = ( + "GPLINK_OPT_NONE" => 0, + "GPLINK_OPT_DISABLED" => 1, + "GPLINK_OPT_ENFORCED" => 2, +); + +my %ads_gpflags = ( + "GPFLAGS_ALL_ENABLED" => 0, + "GPFLAGS_USER_SETTINGS_DISABLED" => 1, + "GPFLAGS_MACHINE_SETTINGS_DISABLED" => 2, + "GPFLAGS_ALL_DISABLED" => 3, +); + +my %ads_serverstate = ( + "SERVER_ENABLED" => 1, + "SERVER_DISABLED" => 2, +); + +my %ads_sdeffective = ( + "OWNER_SECURITY_INFORMATION" => 0x01, + "DACL_SECURITY_INFORMATION" => 0x04, + "SACL_SECURITY_INFORMATION" => 0x10, +); + +my %ads_trustattrs = ( + "TRUST_ATTRIBUTE_NON_TRANSITIVE" => 1, + "TRUST_ATTRIBUTE_TREE_PARENT" => 2, + "TRUST_ATTRIBUTE_TREE_ROOT" => 3, + "TRUST_ATTRIBUTE_UPLEVEL_ONLY" => 4, +); + +my %ads_trustdirection = ( + "TRUST_DIRECTION_INBOUND" => 1, + "TRUST_DIRECTION_OUTBOUND" => 2, + "TRUST_DIRECTION_BIDIRECTIONAL" => 3, +); + +my %ads_trusttype = ( + "TRUST_TYPE_DOWNLEVEL" => 1, + "TRUST_TYPE_UPLEVEL" => 2, + "TRUST_TYPE_KERBEROS" => 3, + "TRUST_TYPE_DCE" => 4, +); + +my %ads_pwdproperties = ( + "DOMAIN_PASSWORD_COMPLEX" => 1, + "DOMAIN_PASSWORD_NO_ANON_CHANGE" => 2, + "DOMAIN_PASSWORD_NO_CLEAR_CHANGE" => 4, + "DOMAIN_LOCKOUT_ADMINS" => 8, + "DOMAIN_PASSWORD_STORE_CLEARTEXT" => 16, + "DOMAIN_REFUSE_PASSWORD_CHANGE" => 32, +); + +my %ads_uascompat = ( + "LANMAN_USER_ACCOUNT_SYSTEM_NOLIMITS" => 0, + "LANMAN_USER_ACCOUNT_SYSTEM_COMPAT" => 1, +); + +my %ads_frstypes = ( + "REPLICA_SET_SYSVOL" => 2, # unsure + "REPLICA_SET_DFS" => 1, # unsure + "REPLICA_SET_OTHER" => 0, # unsure +); + +my %ads_gp_cse_extensions = ( +"Administrative Templates Extension" => "35378EAC-683F-11D2-A89A-00C04FBBCFA2", +"Disk Quotas" => "3610EDA5-77EF-11D2-8DC5-00C04FA31A66", +"EFS Recovery" => "B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A", +"Folder Redirection" => "25537BA6-77A8-11D2-9B6C-0000F8080861", +"IP Security" => "E437BC1C-AA7D-11D2-A382-00C04F991E27", +"Internet Explorer Maintenance" => "A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B", +"QoS Packet Scheduler" => "426031c0-0b47-4852-b0ca-ac3d37bfcb39", +"Scripts" => "42B5FAAE-6536-11D2-AE5A-0000F87571E3", +"Security" => "827D319E-6EAC-11D2-A4EA-00C04F79F83A", +"Software Installation" => "C6DC5466-785A-11D2-84D0-00C04FB169F7", +); + +# guess work +my %ads_gpcextensions = ( +"Administrative Templates" => "0F6B957D-509E-11D1-A7CC-0000F87571E3", +"Certificates" => "53D6AB1D-2488-11D1-A28C-00C04FB94F17", +"EFS recovery policy processing" => "B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A", +"Folder Redirection policy processing" => "25537BA6-77A8-11D2-9B6C-0000F8080861", +"Folder Redirection" => "88E729D6-BDC1-11D1-BD2A-00C04FB9603F", +"Registry policy processing" => "35378EAC-683F-11D2-A89A-00C04FBBCFA2", +"Remote Installation Services" => "3060E8CE-7020-11D2-842D-00C04FA372D4", +"Security Settings" => "803E14A0-B4FB-11D0-A0D0-00A0C90F574B", +"Security policy processing" => "827D319E-6EAC-11D2-A4EA-00C04F79F83A", +"unknown" => "3060E8D0-7020-11D2-842D-00C04FA372D4", +"unknown2" => "53D6AB1B-2488-11D1-A28C-00C04FB94F17", +); + +my %ads_gpo_default_guids = ( +"Default Domain Policy" => "31B2F340-016D-11D2-945F-00C04FB984F9", +"Default Domain Controllers Policy" => "6AC1786C-016F-11D2-945F-00C04fB984F9", +"mist" => "61718096-3D3F-4398-8318-203A48976F9E", ); my %munged_dial = ( @@ -243,7 +351,6 @@ my %munged_dial = ( "CtxCallbackNumber" => \&dump_string, ); - $SIG{__WARN__} = sub { use Carp; Carp::cluck (shift); @@ -299,45 +406,67 @@ if (!$password) { } my %attr_handler = ( + "Token-Groups-No-GC-Acceptable" => \&dump_sid, #wrong name "accountExpires" => \&dump_nttime, "badPasswordTime" => \&dump_nttime, "creationTime" => \&dump_nttime, "currentTime" => \&dump_timestr, "domainControllerFunctionality" => \&dump_ds_func, "domainFunctionality" => \&dump_ds_func, - "dSCorePropagationData" => \&dump_timestr, + "fRSReplicaSetGUID" => \&dump_guid, + "fRSReplicaSetType" => \&dump_frstype, + "fRSVersionGUID" => \&dump_guid, + "flags" => \&dump_gpflags, # fixme: possibly only on gpos! "forceLogoff" => \&dump_nttime_abs, "forestFunctionality" => \&dump_ds_func, +# "gPCMachineExtensionNames" => \&dump_gpcextensions, +# "gPCUserExtensionNames" => \&dump_gpcextensions, + "gPLink" => \&dump_gplink, + "gPOptions" => \&dump_gpoptions, "groupType" => \&dump_gtype, "instanceType" => \&dump_instance_type, "lastLogon" => \&dump_nttime, "lastLogonTimestamp" => \&dump_nttime, - "lockoutTime" => \&dump_nttime, - "lockoutDuration" => \&dump_nttime_abs, "lockOutObservationWindow" => \&dump_nttime_abs, -# "logonHours" => \&dump_not_yet, + "lockoutDuration" => \&dump_nttime_abs, + "lockoutTime" => \&dump_nttime, +# "logonHours" => \&dump_logonhours, "maxPwdAge" => \&dump_nttime_abs, "minPwdAge" => \&dump_nttime_abs, "modifyTimeStamp" => \&dump_timestr, + "msDS-Behavior-Version" => \&dump_ds_func, #unsure + "msDS-User-Account-Control-Computed" => \&dump_uacc, # "msRADIUSFramedIPAddress" => \&dump_ipaddr, # "msRASSavedFramedIPAddress" => \&dump_ipaddr, - "ntMixedDomain" => \&dump_mixed_domain, + "nTMixedDomain" => \&dump_mixed_domain, "nTSecurityDescriptor" => \&dump_secdesc, "objectGUID" => \&dump_guid, "objectSid" => \&dump_sid, + "pKT" => \&dump_pkt, + "pKTGuid" => \&dump_guid, "pwdLastSet" => \&dump_nttime, + "pwdProperties" => \&dump_pwdproperties, "sAMAccountType" => \&dump_atype, - "systemFlags" => \&dump_systemflags, - "supportedControl", => \&dump_controls, + "sDRightsEffective" => \&dump_sdeffective, + "securityIdentifier" => \&dump_sid, + "serverState" => \&dump_serverstate, "supportedCapabilities", => \&dump_capabilities, + "supportedControl", => \&dump_controls, "supportedExtension", => \&dump_extension, + "systemFlags" => \&dump_systemflags, "tokenGroups", => \&dump_sid, + "tokenGroupsGlobalAndUniversal" => \&dump_sid, + "trustAttributes" => \&dump_trustattr, + "trustDirection" => \&dump_trustdirection, + "trustType" => \&dump_trusttype, + "uASCompat" => \&dump_uascompat, "userAccountControl" => \&dump_uac, - "msDS-User-Account-Control-Computed" => \&dump_uacc, + "userCertificate" => \&dump_cert, "userFlags" => \&dump_uf, "userParameters" => \&dump_munged_dial, "whenChanged" => \&dump_timestr, "whenCreated" => \&dump_timestr, +# "dSCorePropagationData" => \&dump_timestr, ); @@ -347,7 +476,8 @@ my %attr_handler = ( ################ sub usage { - print "usage: $0 [--base|-b base] [--debug level] [--debug level] [--DN|-D binddn] [--extendeddn|-e] [--help] [--host|-h host] [--machine|-P] [--metadata|-m] [--nodiffs] [--notify|-n] [--password|-w password] [--port port] [--rawdisplay] [--realm|-R realm] [--rootdse] [--saslmech|-Y saslmech] [--schema|-c] [--scope|-s scope] [--simpleauth|-x] [--starttls|-Z] [--user|-U user] [--wknguid] [--workgroup|-k workgroup] filter [attrs]\n"; + print "usage: $0 [--asq] [--base|-b base] [--debug level] [--debug level] [--DN|-D binddn] [--extendeddn|-e] [--help] [--host|-h host] [--machine|-P] [--metadata|-m] [--nodiffs] [--notify|-n] [--password|-w password] [--port port] [--rawdisplay] [--realm|-R realm] [--rootdse] [--saslmech|-Y saslmech] [--schema|-c] [--scope|-s scope] [--simpleauth|-x] [--starttls|-Z] [--user|-U user] [--wknguid] [--workgroup|-k workgroup] filter [attrs]\n"; + print "\t--asq [attribute]\n\t\tAttribute to use for a attribute scoped query (LDAP_SERVER_ASQ_OID)\n"; print "\t--base|-b [base]\n\t\tUse base [base]\n"; print "\t--debug [level]\n\t\tUse debuglevel (for Net::LDAP)\n"; print "\t--DN|-D [binddn]\n\t\tUse binddn or principal\n"; @@ -547,6 +677,8 @@ sub prompt_user { } sub check_ticket { + return 0; + # works only for heimdal return system("$klist -t"); } @@ -740,18 +872,32 @@ sub parse_ads_h { chomp($line); if ($line =~ /#define.UF.*0x/) { my ($tmp, $name, $val) = split(/\s+/,$line); - next if ($name =~ /UNUSED/); + next if ($name =~ /UNUSED/); +# $ads_uf{$name} = sprintf("%d", hex $val); $ads_uf{$name} = hex $val; } - if ($line =~ /#define.GTYPE.*0x/) { + if ($line =~ /#define.GROUP_TYPE.*0x/) { my ($tmp, $name, $val) = split(/\s+/,$line); - $ads_gtype{$name} = hex $val; + $ads_grouptype{$name} = hex $val; } if ($line =~ /#define.ATYPE.*0x/) { my ($tmp, $name, $val) = split(/\s+/,$line); $ads_atype{$name} = (exists $ads_atype{$val}) ? $ads_atype{$val} : hex $val; } + if ($line =~ /#define.GTYPE.*0x/) { + my ($val, $i); + my ($tmp, $name, @val) = split(/\s+/,$line); + foreach my $tempval (@val) { + if ($tempval =~ /^0x/) { + $val = $tempval; + last; + } + } + next if (!$val); + $ads_gtype{$name} = sprintf("%d", hex $val); + } + } close(ADSH); } @@ -825,52 +971,12 @@ sub display_result_diff ($) { sub sid2string ($) { + # Fix from Michael James my $binary_sid = shift; - my $inbuf2; - my $sid_rev; # [1] - my $num_auths; # [1] - my @id_auth; # [6] - my @sub_auths; - my $subauth; # [16] - my $sid_strout; - my $ia; - - my $tmp_sid = unpack 'H*', $binary_sid; - - # split the binary string - ($sid_rev, $num_auths, - $id_auth[0], $id_auth[1], $id_auth[2], $id_auth[3], $id_auth[4], $id_auth[5], - $sub_auths[0], $sub_auths[1], $sub_auths[2], $sub_auths[3], $sub_auths[4], $inbuf2) - = unpack 'H2 H2 H2 H2 H2 H2 H2 H2 h8 h8 h8 h8 h8 h*',"$binary_sid"; - - # don't ask... - for ( my $i = 0; $i < $num_auths; $i++ ) { - $sub_auths[$i] = reverse $sub_auths[$i]; - } - - # build the identifier authority - if ( ($id_auth[0] != 0) || ($id_auth[1] != 0) ) { - $ia = $id_auth[0]. - $id_auth[1]. - $id_auth[2]. - $id_auth[3]. - $id_auth[4]. - $id_auth[5]; - } else { - $ia = ($id_auth[5]) + - ($id_auth[4] << 8) + - ($id_auth[3] << 16) + - ($id_auth[2] << 24); - } - - # build the sid - $sid_strout = sprintf("S-%lu-%lu",hex($sid_rev),hex($ia)); - - for (my $i = 0; $i < $num_auths; $i++ ) { - $sid_strout .= sprintf( "-%lu", hex($sub_auths[$i]) ); - } - - return $sid_strout; + my($sid_rev, $num_auths, $id1, $id2, @ids) = unpack("H2 H2 n N V*", $binary_sid); + my $sid_string = join("-", "S", hex($sid_rev), ($id1<<32)+$id2, @ids); + return $sid_string; + } sub string_to_guid { @@ -959,9 +1065,10 @@ sub gen_bitmask_string_format($%) { foreach my $key (sort keys %tmp) { push(@list, sprintf("%s %s", $tmp{$key}, $key)); } - return join("\n$mod\t\t\t",@list); + return join("\n$mod$tabsize",@list); } + sub nt_to_unixtime ($) { # the number of 100 nanosecond intervals since jan. 1. 1601 (utc) my $t64 = shift; @@ -994,7 +1101,7 @@ sub dump_bitmask { my (%header) = @_; my %tmp; $tmp{""} = $val; - foreach my $key (sort keys %header) { + foreach my $key (sort keys %header) { # sort by val ! if ($op eq "&") { $tmp{$key} = ( $val & $header{$key} ) ? $set:$unset; } elsif ($op eq "==") { @@ -1019,6 +1126,18 @@ sub dump_uac { return dump_bitmask_and(@_,%ads_uf); # ads_uf ? } +sub dump_uascompat { + return dump_bitmask_equal(@_,%ads_uascompat); +} + +sub dump_gpoptions { + return dump_bitmask_equal(@_,%ads_gpoptions); +} + +sub dump_gpflags { + return dump_bitmask_equal(@_,%ads_gpflags); +} + sub dump_uacc { return dump_bitmask_equal(@_,%ads_uacc); } @@ -1028,7 +1147,10 @@ sub dump_uf { } sub dump_gtype { - return dump_bitmask_and(@_,%ads_gtype); + my $ret = dump_bitmask_and(@_,%ads_grouptype); + $ret .= "\n$tabsize\t"; + $ret .= dump_bitmask_equal(@_,%ads_gtype); + return $ret; } sub dump_atype { @@ -1059,6 +1181,34 @@ sub dump_ds_func { return dump_bitmask_equal(@_,%ads_ds_func); } +sub dump_serverstate { + return dump_bitmask_equal(@_,%ads_serverstate); +} + +sub dump_sdeffective { + return dump_bitmask_and(@_,%ads_sdeffective); +} + +sub dump_trustattr { + return dump_bitmask_equal(@_,%ads_trustattrs); +} + +sub dump_trusttype { + return dump_bitmask_equal(@_,%ads_trusttype); +} + +sub dump_trustdirection { + return dump_bitmask_equal(@_,%ads_trustdirection); +} + +sub dump_pwdproperties { + return dump_bitmask_and(@_,%ads_pwdproperties); +} + +sub dump_frstype { + return dump_bitmask_equal(@_,%ads_frstypes) +} + sub dump_mixed_domain { return dump_bitmask_equal(@_,%ads_mixed_domain); } @@ -1100,6 +1250,9 @@ sub dump_nttime_abs { sub dump_timestr { my $time = shift; + if ($time eq "16010101000010.0Z") { + return sprintf("%s (%s)", "never", $time); + } my ($year,$mon,$mday,$hour,$min,$sec,$zone) = unpack('a4 a2 a2 a2 a2 a2 a4', $time); $mon -= 1; @@ -1120,6 +1273,37 @@ sub dump_munged_dial { return "FIXME! decode this"; } +sub dump_cert { + + my $cert = shift; + open(OPENSSL, "| /usr/bin/openssl x509 -text -inform der"); + print OPENSSL $cert; + close(OPENSSL); + return ""; +} + +sub dump_pkt { + my $pkt = shift; + return "not yet"; + printf("%s: ", $pkt); + printf("%02X", $pkt); + +} + +sub dump_gplink { + + my $gplink = shift; + my $gplink_mod = $gplink; + my @links = split("\\]\\[", $gplink_mod); + foreach my $link (@links) { + $link =~ s/^\[|\]$//g; + my ($ldap_link, $opt) = split(";", $link); + my @array = ( "$opt", "\t" ); + printf("%slink: %s, opt: %s\n", $tabsize, $ldap_link, dump_bitmask_and(@array, %ads_gplink_opts)); + } + return $gplink; +} + sub construct_filter { my $tmp = shift; @@ -1154,10 +1338,12 @@ sub construct_attrs { push(@attrs,"replPropertyMetaData"); } - push(@attrs,"nTSecurityDescriptor"); - push(@attrs,"msDS-KeyVersionNumber"); - push(@attrs,"msDS-User-Account-Control-Computed"); - push(@attrs,"modifyTimeStamp"); + if ($opt_verbose) { + push(@attrs,"nTSecurityDescriptor"); + push(@attrs,"msDS-KeyVersionNumber"); + push(@attrs,"msDS-User-Account-Control-Computed"); + push(@attrs,"modifyTimeStamp"); + } return sort @attrs; } @@ -1183,29 +1369,50 @@ sub print_header { sub gen_controls { - my $asn = Convert::ASN1->new; - $asn->prepare( + # setup attribute-scoped query control + my $asq_asn = Convert::ASN1->new; + $asq_asn->prepare( + q< asq ::= SEQUENCE { + sourceAttribute OCTET_STRING + } + > + ); + my $ctl_asq_val = $asq_asn->encode( sourceAttribute => $opt_asq); + my $ctl_asq = Net::LDAP::Control->new( + type => $ads_controls{'LDAP_SERVER_ASQ_OID'}, + critical => 'true', + value => $ctl_asq_val); + + + # setup extended dn control + my $asn_extended_dn = Convert::ASN1->new; + $asn_extended_dn->prepare( q< ExtendedDn ::= SEQUENCE { mode INTEGER } > ); - my $ctl_extended_dn_val = $asn->encode( mode => '1'); + my $ctl_extended_dn_val = $asn_extended_dn->encode( mode => '1'); my $ctl_extended_dn =Net::LDAP::Control->new( type => $ads_controls{'LDAP_SERVER_EXTENDED_DN_OID'}, critical => 'true', value => $ctl_extended_dn_val); + + # setup notify control my $ctl_notification = Net::LDAP::Control->new( type => $ads_controls{'LDAP_SERVER_NOTIFICATION_OID'}, critical => 'true'); + + # setup paging control $ctl_paged = Net::LDAP::Control->new( type => $ads_controls{'LDAP_PAGED_RESULT_OID_STRING'}, critical => 'true', size => $page_size); + if ($paging) { push(@ctrls, $ctl_paged); push(@ctrls_s, "LDAP_PAGED_RESULT_OID_STRING" ); @@ -1220,6 +1427,11 @@ sub gen_controls { push(@ctrls_s, "LDAP_SERVER_NOTIFICATION_OID"); } + if ($opt_asq) { + push(@ctrls, $ctl_asq); + push(@ctrls_s, "LDAP_SERVER_ASQ_OID"); + } + return @ctrls; } @@ -1244,7 +1456,7 @@ sub display_attr_generic ($$$) { my $ref = $entry->get_value($attr, asref => 1); my @values = @$ref; - foreach my $value (@values) { + foreach my $value ( sort @values) { display_value_generic($mod,$attr,$value); } } @@ -1254,14 +1466,14 @@ sub display_entry_generic ($) { my $entry = shift; return if (!$entry); - foreach my $attr ( $entry->attributes) { + foreach my $attr ( sort $entry->attributes) { display_attr_generic("\t",$entry,$attr); } } sub display_ldap_err ($) { - my $msg = shift; + my $msg = shift; print_header(); my ($package, $filename, $line, $subroutine) = caller(0); @@ -1342,6 +1554,11 @@ sub notify_callback { while (1) { my $async_entry = $async_search->pop_entry; + + if (!$async_entry->dn) { + print "very weird. entry has no dn\n"; + next; + } printf("\ngot changenotify for dn: [%s]\n%s\n", $async_entry->dn, ("-" x 80)); @@ -1450,7 +1667,7 @@ sub main () { if ($opt_notify) { - print "[$base] is registered now for change-notify\n"; + print "Base [$base] is registered now for change-notify\n"; print "\nWaiting for change-notify...\n"; my $sync_ldap_hd = get_ldap_hd($server,0); -- cgit v1.2.1