search

libyal / libesedb

Library and tools to access the Extensible Storage Engine (ESE) Database File (EDB) format.
GNU Lesser General Public License v3.0
341 stars 91 forks source link

unsupported last fixed size data type: 12 on ntds.dit #34

Closed jonbelanger closed 5 years ago

jonbelanger commented 7 years ago

This with the default NTDS.dit after elevating the Windows Server 2016 server to AD controller.

I'm using vssadmin to create a shadow copy then verifying with DIT snapshot viewer. I had to run Esentutl on the file before it would load in the DIT snapshot viewer.

$ /usr/local/bin/esedbexport NTDS.dit esedbexport 20171022

Opening file. Unable to open: NTDS.dit. libesedb_catalog_definition_read: unsupported last fixed size data type: 12. libesedb_catalog_read: unable to read catalog definition. libesedb_file_open_read: unable to read catalog. libesedb_file_open_file_io_handle: unable to read from file handle. libesedb_file_open: unable to open file: NTDS.dit. export_handle_open: unable to open input file.

joachimmetz commented 7 years ago

Could you check the file is dirty otherwise share the file or debug output with me.

jonbelanger commented 7 years ago

recompiled using:

$ make clean $ CPPCFLAGS=-g ./configure --enable-shared=no $ make $ sudo make install

$ ls -l /usr/local/bin/esedbinfo -rwxr-xr-x 1 root root 3196836 Nov 1 12:11 /usr/local/bin/esedbinfo

$ gdb --ex r --args /usr/local/bin/esedbinfo ../NTDS.dit GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.3) 7.7.1 Copyright (C) 2014 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/. Find the GDB manual and other documentation resources online at: http://www.gnu.org/software/gdb/documentation/. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from /usr/local/bin/esedbinfo...done. Starting program: /usr/local/bin/esedbinfo ../NTDS.dit [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". esedbinfo 20171022

Unable to open: ../NTDS.dit. libesedb_catalog_definition_read: unsupported last fixed size data type: 12. libesedb_catalog_read: unable to read catalog definition. libesedb_file_open_read: unable to read catalog. libesedb_file_open_file_io_handle: unable to read from file handle. libesedb_file_open: unable to open file: ../NTDS.dit. info_handle_open: unable to open input file. [Inferior 1 (process 10267) exited with code 01] (gdb) bt No stack.

joachimmetz commented 7 years ago

I meant "debug output", recompile with:

./configure --enable-debug-output --enable-verbose-output
make

No need to do make install

run with:

esedbtools/esedbinfo -v ../NTDS.dit 2>../debug.log
jonbelanger commented 7 years ago

Thanks for the help. debug.log

joachimmetz commented 7 years ago

thx, I'll have a look as soon time permits.

3ldidi94 commented 6 years ago

Hello Guys,

I have exactly the same issue on a Windows Server 2016, did you find a workaround or something since the last update ?

Thanks

WANFlex commented 6 years ago

Hi,

I've the same problem and generated a debug.log output from Windows Server 2016 DC.

Contact me if I can help with anything you want.

Regards, debug.log

Lexus89 commented 6 years ago

Same problem here, any idea when a fix might be available?

jonbelanger commented 6 years ago

I haven't heard back on this issue since I first reported it.

joachimmetz commented 6 years ago

Same problem here, any idea when a fix might be available?

@Lexus89, when ever time permits or someone else offers to provide a patch.

@jonbelanger, I'm very busy and have very little time to work on this project at the moment.

jskrivseth commented 6 years ago

+1

c0d3z3r0 commented 6 years ago

+1

Raknor commented 6 years ago

In libesedb/libesedb_catalog_definition.c:300 :

A check verify the size of something: if( last_fixed_size_data_type > 11 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_UNSUPPORTED_VALUE, "%s: unsupported last fixed size data type: %" PRIu8 ".", function, last_fixed_size_data_type ); return( -1 ); } So this is the reported error.

However, in libesedb/libesedb_catalog_definition.c:286, a comment relate a 16 bytes length, according to unprecised documentation: `/* As far as the documentation states

Didn't dig the issue deeper, I've just changed the checked value (11 -> 12) to not trigger the error (ugly!!!!), recompile, install. And so far, no more issue, and I could import data into btaminer (accuracy is another topic though)

But without a clue of the mentionned documentation, I can't verify if this is a proper fix... or just a temporary workaround

joachimmetz commented 5 years ago

He can you instruct whatever ntdsextract guide you are using to update it.

This is not the ntdsextract support tracker and as indicated before this library is not intended for the purposes of ntdsextract

joachimmetz commented 5 years ago

Removed ntdsextract related (off topic) comments

joachimmetz commented 5 years ago

Finally got time to look into this and added support: https://github.com/libyal/libesedb/commit/37d37727abf439feea7b97d98e8d55a82c904c8f