2012-02-28 05:24:41 -06:00
|
|
|
# Authors:
|
|
|
|
|
# Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
|
#
|
|
|
|
|
# Copyright (C) 2011 Red Hat
|
|
|
|
|
# see file 'COPYING' for use and warranty information
|
|
|
|
|
#
|
|
|
|
|
# Portions (C) Andrew Tridgell, Andrew Bartlett
|
|
|
|
|
#
|
|
|
|
|
# This program is free software; you can redistribute it and/or modify
|
|
|
|
|
# it under the terms of the GNU General Public License as published by
|
|
|
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
|
|
|
# (at your option) any later version.
|
|
|
|
|
#
|
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
|
#
|
|
|
|
|
# You should have received a copy of the GNU General Public License
|
|
|
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
|
|
|
|
|
# Make sure we only run this module at the server where samba4-python
|
|
|
|
|
# package is installed to avoid issues with unavailable modules
|
|
|
|
|
|
|
|
|
|
from ipalib.plugins.baseldap import *
|
|
|
|
|
from ipalib import api, Str, Password, DefaultFrom, _, ngettext, Object
|
|
|
|
|
from ipalib.parameters import Enum
|
|
|
|
|
from ipalib import Command
|
|
|
|
|
from ipalib import errors
|
|
|
|
|
from ipapython import ipautil
|
2012-08-01 02:14:09 -05:00
|
|
|
from ipapython.ipa_log_manager import *
|
2012-10-31 14:52:12 -05:00
|
|
|
from ipapython.dn import DN
|
2012-05-15 12:10:28 -05:00
|
|
|
from ipaserver.install import installutils
|
2012-11-15 04:21:16 -06:00
|
|
|
from ipalib.util import normalize_name
|
2012-02-28 05:24:41 -06:00
|
|
|
|
|
|
|
|
import os, string, struct, copy
|
|
|
|
|
import uuid
|
|
|
|
|
from samba import param
|
|
|
|
|
from samba import credentials
|
2012-09-13 12:01:55 -05:00
|
|
|
from samba.dcerpc import security, lsa, drsblobs, nbt, netlogon
|
2012-02-28 05:24:41 -06:00
|
|
|
from samba.ndr import ndr_pack
|
|
|
|
|
from samba import net
|
|
|
|
|
import samba
|
|
|
|
|
import random
|
2012-11-21 10:33:49 -06:00
|
|
|
from M2Crypto import RC4
|
2012-09-25 09:23:33 -05:00
|
|
|
try:
|
|
|
|
|
from ldap.controls import RequestControl as LDAPControl #pylint: disable=F0401
|
|
|
|
|
except ImportError:
|
|
|
|
|
from ldap.controls import LDAPControl as LDAPControl #pylint: disable=F0401
|
|
|
|
|
import ldap as _ldap
|
2012-10-31 14:52:12 -05:00
|
|
|
from ipaserver.ipaldap import IPAdmin
|
|
|
|
|
from ipalib.session import krbccache_dir, krbccache_prefix
|
|
|
|
|
from dns import resolver, rdatatype
|
|
|
|
|
from dns.exception import DNSException
|
2012-02-28 05:24:41 -06:00
|
|
|
|
|
|
|
|
__doc__ = _("""
|
|
|
|
|
Classes to manage trust joins using DCE-RPC calls
|
|
|
|
|
|
|
|
|
|
The code in this module relies heavily on samba4-python package
|
|
|
|
|
and Samba4 python bindings.
|
|
|
|
|
""")
|
|
|
|
|
|
2013-02-07 07:59:00 -06:00
|
|
|
def is_sid_valid(sid):
|
|
|
|
|
try:
|
|
|
|
|
security.dom_sid(sid)
|
|
|
|
|
except TypeError:
|
|
|
|
|
return False
|
|
|
|
|
else:
|
|
|
|
|
return True
|
|
|
|
|
|
2012-08-13 08:35:19 -05:00
|
|
|
access_denied_error = errors.ACIError(info=_('CIFS server denied your credentials'))
|
2012-08-01 02:14:09 -05:00
|
|
|
dcerpc_error_codes = {
|
2012-08-13 08:35:19 -05:00
|
|
|
-1073741823:
|
|
|
|
|
errors.RemoteRetrieveError(reason=_('communication with CIFS server was unsuccessful')),
|
2012-08-01 02:14:09 -05:00
|
|
|
-1073741790: access_denied_error,
|
|
|
|
|
-1073741715: access_denied_error,
|
|
|
|
|
-1073741614: access_denied_error,
|
2012-08-13 08:35:19 -05:00
|
|
|
-1073741603:
|
|
|
|
|
errors.ValidationError(name=_('AD domain controller'), error=_('unsupported functional level')),
|
2012-08-01 02:14:09 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
dcerpc_error_messages = {
|
2012-08-13 08:35:19 -05:00
|
|
|
"NT_STATUS_OBJECT_NAME_NOT_FOUND":
|
|
|
|
|
errors.NotFound(reason=_('Cannot find specified domain or server name')),
|
|
|
|
|
"NT_STATUS_INVALID_PARAMETER_MIX":
|
|
|
|
|
errors.RequirementError(name=_('At least the domain or IP address should be specified')),
|
2012-08-01 02:14:09 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
def assess_dcerpc_exception(num=None,message=None):
|
|
|
|
|
"""
|
|
|
|
|
Takes error returned by Samba bindings and converts it into
|
|
|
|
|
an IPA error class.
|
|
|
|
|
"""
|
|
|
|
|
if num and num in dcerpc_error_codes:
|
|
|
|
|
return dcerpc_error_codes[num]
|
|
|
|
|
if message and message in dcerpc_error_messages:
|
|
|
|
|
return dcerpc_error_messages[message]
|
2012-08-13 08:35:19 -05:00
|
|
|
reason = _('''CIFS server communication error: code "%(num)s",
|
|
|
|
|
message "%(message)s" (both may be "None")''') % dict(num=num, message=message)
|
|
|
|
|
return errors.RemoteRetrieveError(reason=reason)
|
2012-08-01 02:14:09 -05:00
|
|
|
|
2012-09-25 09:23:33 -05:00
|
|
|
class ExtendedDNControl(LDAPControl):
|
|
|
|
|
# This class attempts to implement LDAP control that would work
|
|
|
|
|
# with both python-ldap 2.4.x and 2.3.x, thus there is mix of properties
|
|
|
|
|
# from both worlds and encodeControlValue has default parameter
|
2012-02-28 05:24:41 -06:00
|
|
|
def __init__(self):
|
2012-09-25 09:23:33 -05:00
|
|
|
self.controlValue = 1
|
2012-02-28 05:24:41 -06:00
|
|
|
self.controlType = "1.2.840.113556.1.4.529"
|
|
|
|
|
self.criticality = False
|
|
|
|
|
self.integerValue = 1
|
|
|
|
|
|
2012-09-25 09:23:33 -05:00
|
|
|
def encodeControlValue(self, value=None):
|
2012-02-28 05:24:41 -06:00
|
|
|
return '0\x03\x02\x01\x01'
|
|
|
|
|
|
2012-06-20 08:08:33 -05:00
|
|
|
class DomainValidator(object):
|
|
|
|
|
ATTR_FLATNAME = 'ipantflatname'
|
|
|
|
|
ATTR_SID = 'ipantsecurityidentifier'
|
|
|
|
|
ATTR_TRUSTED_SID = 'ipanttrusteddomainsid'
|
2012-10-31 14:52:12 -05:00
|
|
|
ATTR_TRUST_PARTNER = 'ipanttrustpartner'
|
|
|
|
|
ATTR_TRUST_AUTHOUT = 'ipanttrustauthoutgoing'
|
2012-06-20 08:08:33 -05:00
|
|
|
|
|
|
|
|
def __init__(self, api):
|
|
|
|
|
self.api = api
|
|
|
|
|
self.ldap = self.api.Backend.ldap2
|
|
|
|
|
self.domain = None
|
|
|
|
|
self.flatname = None
|
|
|
|
|
self.dn = None
|
|
|
|
|
self.sid = None
|
|
|
|
|
self._domains = None
|
2012-10-31 14:52:12 -05:00
|
|
|
self._info = dict()
|
|
|
|
|
self._creds = None
|
|
|
|
|
self._parm = None
|
2012-06-20 08:08:33 -05:00
|
|
|
|
|
|
|
|
def is_configured(self):
|
|
|
|
|
cn_trust_local = DN(('cn', self.api.env.domain), self.api.env.container_cifsdomains, self.api.env.basedn)
|
|
|
|
|
try:
|
Use DN objects instead of strings
* Convert every string specifying a DN into a DN object
* Every place a dn was manipulated in some fashion it was replaced by
the use of DN operators
* Add new DNParam parameter type for parameters which are DN's
* DN objects are used 100% of the time throughout the entire data
pipeline whenever something is logically a dn.
* Many classes now enforce DN usage for their attributes which are
dn's. This is implmented via ipautil.dn_attribute_property(). The
only permitted types for a class attribute specified to be a DN are
either None or a DN object.
* Require that every place a dn is used it must be a DN object.
This translates into lot of::
assert isinstance(dn, DN)
sprinkled through out the code. Maintaining these asserts is
valuable to preserve DN type enforcement. The asserts can be
disabled in production.
The goal of 100% DN usage 100% of the time has been realized, these
asserts are meant to preserve that.
The asserts also proved valuable in detecting functions which did
not obey their function signatures, such as the baseldap pre and
post callbacks.
* Moved ipalib.dn to ipapython.dn because DN class is shared with all
components, not just the server which uses ipalib.
* All API's now accept DN's natively, no need to convert to str (or
unicode).
* Removed ipalib.encoder and encode/decode decorators. Type conversion
is now explicitly performed in each IPASimpleLDAPObject method which
emulates a ldap.SimpleLDAPObject method.
* Entity & Entry classes now utilize DN's
* Removed __getattr__ in Entity & Entity clases. There were two
problems with it. It presented synthetic Python object attributes
based on the current LDAP data it contained. There is no way to
validate synthetic attributes using code checkers, you can't search
the code to find LDAP attribute accesses (because synthetic
attriutes look like Python attributes instead of LDAP data) and
error handling is circumscribed. Secondly __getattr__ was hiding
Python internal methods which broke class semantics.
* Replace use of methods inherited from ldap.SimpleLDAPObject via
IPAdmin class with IPAdmin methods. Directly using inherited methods
was causing us to bypass IPA logic. Mostly this meant replacing the
use of search_s() with getEntry() or getList(). Similarly direct
access of the LDAP data in classes using IPAdmin were replaced with
calls to getValue() or getValues().
* Objects returned by ldap2.find_entries() are now compatible with
either the python-ldap access methodology or the Entity/Entry access
methodology.
* All ldap operations now funnel through the common
IPASimpleLDAPObject giving us a single location where we interface
to python-ldap and perform conversions.
* The above 4 modifications means we've greatly reduced the
proliferation of multiple inconsistent ways to perform LDAP
operations. We are well on the way to having a single API in IPA for
doing LDAP (a long range goal).
* All certificate subject bases are now DN's
* DN objects were enhanced thusly:
- find, rfind, index, rindex, replace and insert methods were added
- AVA, RDN and DN classes were refactored in immutable and mutable
variants, the mutable variants are EditableAVA, EditableRDN and
EditableDN. By default we use the immutable variants preserving
important semantics. To edit a DN cast it to an EditableDN and
cast it back to DN when done editing. These issues are fully
described in other documentation.
- first_key_match was removed
- DN equalty comparison permits comparison to a basestring
* Fixed ldapupdate to work with DN's. This work included:
- Enhance test_updates.py to do more checking after applying
update. Add test for update_from_dict(). Convert code to use
unittest classes.
- Consolidated duplicate code.
- Moved code which should have been in the class into the class.
- Fix the handling of the 'deleteentry' update action. It's no longer
necessary to supply fake attributes to make it work. Detect case
where subsequent update applies a change to entry previously marked
for deletetion. General clean-up and simplification of the
'deleteentry' logic.
- Rewrote a couple of functions to be clearer and more Pythonic.
- Added documentation on the data structure being used.
- Simplfy the use of update_from_dict()
* Removed all usage of get_schema() which was being called prior to
accessing the .schema attribute of an object. If a class is using
internal lazy loading as an optimization it's not right to require
users of the interface to be aware of internal
optimization's. schema is now a property and when the schema
property is accessed it calls a private internal method to perform
the lazy loading.
* Added SchemaCache class to cache the schema's from individual
servers. This was done because of the observation we talk to
different LDAP servers, each of which may have it's own
schema. Previously we globally cached the schema from the first
server we connected to and returned that schema in all contexts. The
cache includes controls to invalidate it thus forcing a schema
refresh.
* Schema caching is now senstive to the run time context. During
install and upgrade the schema can change leading to errors due to
out-of-date cached schema. The schema cache is refreshed in these
contexts.
* We are aware of the LDAP syntax of all LDAP attributes. Every
attribute returned from an LDAP operation is passed through a
central table look-up based on it's LDAP syntax. The table key is
the LDAP syntax it's value is a Python callable that returns a
Python object matching the LDAP syntax. There are a handful of LDAP
attributes whose syntax is historically incorrect
(e.g. DistguishedNames that are defined as DirectoryStrings). The
table driven conversion mechanism is augmented with a table of
hard coded exceptions.
Currently only the following conversions occur via the table:
- dn's are converted to DN objects
- binary objects are converted to Python str objects (IPA
convention).
- everything else is converted to unicode using UTF-8 decoding (IPA
convention).
However, now that the table driven conversion mechanism is in place
it would be trivial to do things such as converting attributes
which have LDAP integer syntax into a Python integer, etc.
* Expected values in the unit tests which are a DN no longer need to
use lambda expressions to promote the returned value to a DN for
equality comparison. The return value is automatically promoted to
a DN. The lambda expressions have been removed making the code much
simpler and easier to read.
* Add class level logging to a number of classes which did not support
logging, less need for use of root_logger.
* Remove ipaserver/conn.py, it was unused.
* Consolidated duplicate code wherever it was found.
* Fixed many places that used string concatenation to form a new
string rather than string formatting operators. This is necessary
because string formatting converts it's arguments to a string prior
to building the result string. You can't concatenate a string and a
non-string.
* Simplify logic in rename_managed plugin. Use DN operators to edit
dn's.
* The live version of ipa-ldap-updater did not generate a log file.
The offline version did, now both do.
https://fedorahosted.org/freeipa/ticket/1670
https://fedorahosted.org/freeipa/ticket/1671
https://fedorahosted.org/freeipa/ticket/1672
https://fedorahosted.org/freeipa/ticket/1673
https://fedorahosted.org/freeipa/ticket/1674
https://fedorahosted.org/freeipa/ticket/1392
https://fedorahosted.org/freeipa/ticket/2872
2012-05-13 06:36:35 -05:00
|
|
|
(dn, entry_attrs) = self.ldap.get_entry(cn_trust_local, [self.ATTR_FLATNAME, self.ATTR_SID])
|
2012-06-20 08:08:33 -05:00
|
|
|
self.flatname = entry_attrs[self.ATTR_FLATNAME][0]
|
|
|
|
|
self.sid = entry_attrs[self.ATTR_SID][0]
|
|
|
|
|
self.dn = dn
|
|
|
|
|
self.domain = self.api.env.domain
|
|
|
|
|
except errors.NotFound, e:
|
|
|
|
|
return False
|
|
|
|
|
return True
|
|
|
|
|
|
|
|
|
|
def get_trusted_domains(self):
|
2012-10-31 14:52:12 -05:00
|
|
|
"""Returns dict of trusted domain tuples (flatname, sid, trust_auth_outgoing), keyed by domain name"""
|
2012-06-20 08:08:33 -05:00
|
|
|
cn_trust = DN(('cn', 'ad'), self.api.env.container_trusts, self.api.env.basedn)
|
|
|
|
|
try:
|
|
|
|
|
search_kw = {'objectClass': 'ipaNTTrustedDomain'}
|
|
|
|
|
filter = self.ldap.make_filter(search_kw, rules=self.ldap.MATCH_ALL)
|
Use DN objects instead of strings
* Convert every string specifying a DN into a DN object
* Every place a dn was manipulated in some fashion it was replaced by
the use of DN operators
* Add new DNParam parameter type for parameters which are DN's
* DN objects are used 100% of the time throughout the entire data
pipeline whenever something is logically a dn.
* Many classes now enforce DN usage for their attributes which are
dn's. This is implmented via ipautil.dn_attribute_property(). The
only permitted types for a class attribute specified to be a DN are
either None or a DN object.
* Require that every place a dn is used it must be a DN object.
This translates into lot of::
assert isinstance(dn, DN)
sprinkled through out the code. Maintaining these asserts is
valuable to preserve DN type enforcement. The asserts can be
disabled in production.
The goal of 100% DN usage 100% of the time has been realized, these
asserts are meant to preserve that.
The asserts also proved valuable in detecting functions which did
not obey their function signatures, such as the baseldap pre and
post callbacks.
* Moved ipalib.dn to ipapython.dn because DN class is shared with all
components, not just the server which uses ipalib.
* All API's now accept DN's natively, no need to convert to str (or
unicode).
* Removed ipalib.encoder and encode/decode decorators. Type conversion
is now explicitly performed in each IPASimpleLDAPObject method which
emulates a ldap.SimpleLDAPObject method.
* Entity & Entry classes now utilize DN's
* Removed __getattr__ in Entity & Entity clases. There were two
problems with it. It presented synthetic Python object attributes
based on the current LDAP data it contained. There is no way to
validate synthetic attributes using code checkers, you can't search
the code to find LDAP attribute accesses (because synthetic
attriutes look like Python attributes instead of LDAP data) and
error handling is circumscribed. Secondly __getattr__ was hiding
Python internal methods which broke class semantics.
* Replace use of methods inherited from ldap.SimpleLDAPObject via
IPAdmin class with IPAdmin methods. Directly using inherited methods
was causing us to bypass IPA logic. Mostly this meant replacing the
use of search_s() with getEntry() or getList(). Similarly direct
access of the LDAP data in classes using IPAdmin were replaced with
calls to getValue() or getValues().
* Objects returned by ldap2.find_entries() are now compatible with
either the python-ldap access methodology or the Entity/Entry access
methodology.
* All ldap operations now funnel through the common
IPASimpleLDAPObject giving us a single location where we interface
to python-ldap and perform conversions.
* The above 4 modifications means we've greatly reduced the
proliferation of multiple inconsistent ways to perform LDAP
operations. We are well on the way to having a single API in IPA for
doing LDAP (a long range goal).
* All certificate subject bases are now DN's
* DN objects were enhanced thusly:
- find, rfind, index, rindex, replace and insert methods were added
- AVA, RDN and DN classes were refactored in immutable and mutable
variants, the mutable variants are EditableAVA, EditableRDN and
EditableDN. By default we use the immutable variants preserving
important semantics. To edit a DN cast it to an EditableDN and
cast it back to DN when done editing. These issues are fully
described in other documentation.
- first_key_match was removed
- DN equalty comparison permits comparison to a basestring
* Fixed ldapupdate to work with DN's. This work included:
- Enhance test_updates.py to do more checking after applying
update. Add test for update_from_dict(). Convert code to use
unittest classes.
- Consolidated duplicate code.
- Moved code which should have been in the class into the class.
- Fix the handling of the 'deleteentry' update action. It's no longer
necessary to supply fake attributes to make it work. Detect case
where subsequent update applies a change to entry previously marked
for deletetion. General clean-up and simplification of the
'deleteentry' logic.
- Rewrote a couple of functions to be clearer and more Pythonic.
- Added documentation on the data structure being used.
- Simplfy the use of update_from_dict()
* Removed all usage of get_schema() which was being called prior to
accessing the .schema attribute of an object. If a class is using
internal lazy loading as an optimization it's not right to require
users of the interface to be aware of internal
optimization's. schema is now a property and when the schema
property is accessed it calls a private internal method to perform
the lazy loading.
* Added SchemaCache class to cache the schema's from individual
servers. This was done because of the observation we talk to
different LDAP servers, each of which may have it's own
schema. Previously we globally cached the schema from the first
server we connected to and returned that schema in all contexts. The
cache includes controls to invalidate it thus forcing a schema
refresh.
* Schema caching is now senstive to the run time context. During
install and upgrade the schema can change leading to errors due to
out-of-date cached schema. The schema cache is refreshed in these
contexts.
* We are aware of the LDAP syntax of all LDAP attributes. Every
attribute returned from an LDAP operation is passed through a
central table look-up based on it's LDAP syntax. The table key is
the LDAP syntax it's value is a Python callable that returns a
Python object matching the LDAP syntax. There are a handful of LDAP
attributes whose syntax is historically incorrect
(e.g. DistguishedNames that are defined as DirectoryStrings). The
table driven conversion mechanism is augmented with a table of
hard coded exceptions.
Currently only the following conversions occur via the table:
- dn's are converted to DN objects
- binary objects are converted to Python str objects (IPA
convention).
- everything else is converted to unicode using UTF-8 decoding (IPA
convention).
However, now that the table driven conversion mechanism is in place
it would be trivial to do things such as converting attributes
which have LDAP integer syntax into a Python integer, etc.
* Expected values in the unit tests which are a DN no longer need to
use lambda expressions to promote the returned value to a DN for
equality comparison. The return value is automatically promoted to
a DN. The lambda expressions have been removed making the code much
simpler and easier to read.
* Add class level logging to a number of classes which did not support
logging, less need for use of root_logger.
* Remove ipaserver/conn.py, it was unused.
* Consolidated duplicate code wherever it was found.
* Fixed many places that used string concatenation to form a new
string rather than string formatting operators. This is necessary
because string formatting converts it's arguments to a string prior
to building the result string. You can't concatenate a string and a
non-string.
* Simplify logic in rename_managed plugin. Use DN operators to edit
dn's.
* The live version of ipa-ldap-updater did not generate a log file.
The offline version did, now both do.
https://fedorahosted.org/freeipa/ticket/1670
https://fedorahosted.org/freeipa/ticket/1671
https://fedorahosted.org/freeipa/ticket/1672
https://fedorahosted.org/freeipa/ticket/1673
https://fedorahosted.org/freeipa/ticket/1674
https://fedorahosted.org/freeipa/ticket/1392
https://fedorahosted.org/freeipa/ticket/2872
2012-05-13 06:36:35 -05:00
|
|
|
(entries, truncated) = self.ldap.find_entries(filter=filter, base_dn=cn_trust,
|
2012-10-31 14:52:12 -05:00
|
|
|
attrs_list=[self.ATTR_TRUSTED_SID,
|
|
|
|
|
self.ATTR_FLATNAME,
|
|
|
|
|
self.ATTR_TRUST_PARTNER,
|
|
|
|
|
self.ATTR_TRUST_AUTHOUT])
|
2012-06-20 08:08:33 -05:00
|
|
|
|
2012-10-31 14:52:12 -05:00
|
|
|
result = dict()
|
2013-01-24 04:51:58 -06:00
|
|
|
for dn, entry in entries:
|
|
|
|
|
try:
|
|
|
|
|
trust_partner = entry[self.ATTR_TRUST_PARTNER][0]
|
|
|
|
|
flatname_normalized = entry[self.ATTR_FLATNAME][0].lower()
|
|
|
|
|
trusted_sid = entry[self.ATTR_TRUSTED_SID][0]
|
|
|
|
|
except KeyError, e:
|
|
|
|
|
# Some piece of trusted domain info in LDAP is missing
|
|
|
|
|
# Skip the domain, but leave log entry for investigation
|
|
|
|
|
api.log.warn("Trusted domain '%s' entry misses an attribute: %s",
|
|
|
|
|
dn, e)
|
|
|
|
|
continue
|
|
|
|
|
trust_authout = entry.get(self.ATTR_TRUST_AUTHOUT, [None])[0]
|
|
|
|
|
|
|
|
|
|
# We were able to read all Trusted domain attributes but the secret
|
|
|
|
|
# User is not member of trust admins group
|
|
|
|
|
if trust_authout is None:
|
|
|
|
|
raise errors.ACIError(
|
|
|
|
|
info=_('communication with trusted domains is allowed '
|
|
|
|
|
'for Trusts administrator group members only'))
|
|
|
|
|
|
|
|
|
|
result[trust_partner] = (flatname_normalized,
|
|
|
|
|
security.dom_sid(trusted_sid),
|
|
|
|
|
trust_authout)
|
2012-09-25 09:25:42 -05:00
|
|
|
return result
|
2012-06-20 08:08:33 -05:00
|
|
|
except errors.NotFound, e:
|
|
|
|
|
return []
|
|
|
|
|
|
2013-01-18 10:28:39 -06:00
|
|
|
def get_domain_by_sid(self, sid):
|
2012-06-20 08:08:33 -05:00
|
|
|
if not self.domain:
|
|
|
|
|
# our domain is not configured or self.is_configured() never run
|
|
|
|
|
# reject SIDs as we can't check correctness of them
|
2013-01-18 10:28:39 -06:00
|
|
|
raise errors.ValidationError(name='sid',
|
|
|
|
|
error=_('domain is not configured'))
|
2012-06-20 08:08:33 -05:00
|
|
|
# Parse sid string to see if it is really in a SID format
|
|
|
|
|
try:
|
|
|
|
|
test_sid = security.dom_sid(sid)
|
2012-09-25 09:25:42 -05:00
|
|
|
except TypeError, e:
|
2013-01-18 10:28:39 -06:00
|
|
|
raise errors.ValidationError(name='sid',
|
|
|
|
|
error=_('SID is not valid'))
|
2012-06-20 08:08:33 -05:00
|
|
|
# At this point we have SID_NT_AUTHORITY family SID and really need to
|
|
|
|
|
# check it against prefixes of domain SIDs we trust to
|
|
|
|
|
if not self._domains:
|
|
|
|
|
self._domains = self.get_trusted_domains()
|
|
|
|
|
if len(self._domains) == 0:
|
|
|
|
|
# Our domain is configured but no trusted domains are configured
|
|
|
|
|
# This means we can't check the correctness of a trusted domain SIDs
|
2013-01-18 10:28:39 -06:00
|
|
|
raise errors.ValidationError(name='sid',
|
|
|
|
|
error=_('no trusted domain is configured'))
|
2012-06-20 08:08:33 -05:00
|
|
|
# We have non-zero list of trusted domains and have to go through them
|
|
|
|
|
# one by one and check their sids as prefixes
|
2012-09-25 09:25:42 -05:00
|
|
|
test_sid_subauths = test_sid.sub_auths
|
2012-10-31 14:52:12 -05:00
|
|
|
for domain in self._domains:
|
|
|
|
|
domsid = self._domains[domain][1]
|
2012-09-25 09:25:42 -05:00
|
|
|
sub_auths = domsid.sub_auths
|
|
|
|
|
num_auths = min(test_sid.num_auths, domsid.num_auths)
|
|
|
|
|
if test_sid_subauths[:num_auths] == sub_auths[:num_auths]:
|
2013-01-18 10:28:39 -06:00
|
|
|
return domain
|
|
|
|
|
raise errors.NotFound(reason=_('SID does not match any trusted domain'))
|
|
|
|
|
|
|
|
|
|
def is_trusted_sid_valid(self, sid):
|
|
|
|
|
try:
|
|
|
|
|
self.get_domain_by_sid(sid)
|
|
|
|
|
except (errors.ValidationError, errors.NotFound):
|
|
|
|
|
return False
|
|
|
|
|
else:
|
|
|
|
|
return True
|
2012-06-20 08:08:33 -05:00
|
|
|
|
2013-02-04 07:33:53 -06:00
|
|
|
def get_sid_from_domain_name(self, name):
|
|
|
|
|
"""Returns binary representation of SID for the trusted domain name
|
|
|
|
|
or None if name is not in the list of trusted domains."""
|
|
|
|
|
|
|
|
|
|
domains = self.get_trusted_domains()
|
|
|
|
|
if name in domains:
|
|
|
|
|
return domains[name][1]
|
|
|
|
|
else:
|
|
|
|
|
return None
|
|
|
|
|
|
2013-01-18 10:28:39 -06:00
|
|
|
def get_trusted_domain_objects(self, domain=None, flatname=None, filter="",
|
|
|
|
|
attrs=None, scope=_ldap.SCOPE_SUBTREE, basedn=None):
|
|
|
|
|
"""
|
|
|
|
|
Search for LDAP objects in a trusted domain specified either by `domain'
|
|
|
|
|
or `flatname'. The actual LDAP search is specified by `filter', `attrs',
|
|
|
|
|
`scope' and `basedn'. When `basedn' is empty, database root DN is used.
|
|
|
|
|
"""
|
|
|
|
|
assert domain is not None or flatname is not None
|
2012-10-31 14:52:12 -05:00
|
|
|
"""Returns SID for the trusted domain object (user or group only)"""
|
|
|
|
|
if not self.domain:
|
|
|
|
|
# our domain is not configured or self.is_configured() never run
|
2013-01-18 10:28:39 -06:00
|
|
|
raise errors.ValidationError(name=_('Trust setup'),
|
|
|
|
|
error=_('Our domain is not configured'))
|
2012-10-31 14:52:12 -05:00
|
|
|
if not self._domains:
|
|
|
|
|
self._domains = self.get_trusted_domains()
|
|
|
|
|
if len(self._domains) == 0:
|
|
|
|
|
# Our domain is configured but no trusted domains are configured
|
2013-01-18 10:28:39 -06:00
|
|
|
raise errors.ValidationError(name=_('Trust setup'),
|
|
|
|
|
error=_('No trusted domain is not configured'))
|
2012-10-31 14:52:12 -05:00
|
|
|
|
2013-01-18 10:28:39 -06:00
|
|
|
entries = None
|
|
|
|
|
if domain is not None:
|
|
|
|
|
if domain not in self._domains:
|
|
|
|
|
raise errors.ValidationError(name=_('trusted domain object'),
|
|
|
|
|
error= _('domain is not trusted'))
|
2012-10-31 14:52:12 -05:00
|
|
|
# Now we have a name to check against our list of trusted domains
|
2013-01-18 10:28:39 -06:00
|
|
|
entries = self.search_in_gc(domain, filter, attrs, scope, basedn)
|
|
|
|
|
elif flatname is not None:
|
2012-10-31 14:52:12 -05:00
|
|
|
# Flatname was specified, traverse through the list of trusted
|
|
|
|
|
# domains first to find the proper one
|
2013-01-18 10:28:39 -06:00
|
|
|
found_flatname = False
|
2012-10-31 14:52:12 -05:00
|
|
|
for domain in self._domains:
|
2013-01-18 10:28:39 -06:00
|
|
|
if self._domains[domain][0] == flatname:
|
|
|
|
|
found_flatname = True
|
|
|
|
|
entries = self.search_in_gc(domain, filter, attrs, scope, basedn)
|
|
|
|
|
if entries:
|
2012-10-31 14:52:12 -05:00
|
|
|
break
|
2013-01-18 10:28:39 -06:00
|
|
|
if not found_flatname:
|
|
|
|
|
raise errors.ValidationError(name=_('trusted domain object'),
|
|
|
|
|
error= _('no trusted domain matched the specified flat name'))
|
|
|
|
|
if not entries:
|
|
|
|
|
raise errors.NotFound(reason=_('trusted domain object not found'))
|
|
|
|
|
|
|
|
|
|
return entries
|
|
|
|
|
|
|
|
|
|
def get_trusted_domain_object_sid(self, object_name):
|
|
|
|
|
components = normalize_name(object_name)
|
|
|
|
|
if not ('domain' in components or 'flatname' in components):
|
|
|
|
|
# No domain or realm specified, ambiguous search
|
|
|
|
|
raise errors.ValidationError(name=_('trusted domain object'),
|
|
|
|
|
error= _('Ambiguous search, user domain was not specified'))
|
|
|
|
|
|
|
|
|
|
attrs = ['objectSid']
|
|
|
|
|
filter = '(&(sAMAccountName=%(name)s)(|(objectClass=user)(objectClass=group)))' \
|
|
|
|
|
% dict(name=components['name'])
|
|
|
|
|
scope = _ldap.SCOPE_SUBTREE
|
|
|
|
|
entries = self.get_trusted_domain_objects(components.get('domain'),
|
|
|
|
|
components.get('flatname'), filter, attrs, scope)
|
|
|
|
|
|
|
|
|
|
if len(entries) > 1:
|
|
|
|
|
# Treat non-unique entries as invalid
|
|
|
|
|
raise errors.ValidationError(name=_('trusted domain object'),
|
|
|
|
|
error= _('Trusted domain did not return a unique object'))
|
|
|
|
|
sid = self.__sid_to_str(entries[0][1]['objectSid'][0])
|
|
|
|
|
try:
|
|
|
|
|
test_sid = security.dom_sid(sid)
|
|
|
|
|
return unicode(test_sid)
|
|
|
|
|
except TypeError, e:
|
|
|
|
|
raise errors.ValidationError(name=_('trusted domain object'),
|
|
|
|
|
error= _('Trusted domain did not return a valid SID for the object'))
|
2012-10-31 14:52:12 -05:00
|
|
|
|
2013-01-18 10:38:15 -06:00
|
|
|
def get_trusted_domain_user_and_groups(self, object_name):
|
|
|
|
|
"""
|
|
|
|
|
Returns a tuple with user SID and a list of SIDs of all groups he is
|
|
|
|
|
a member of.
|
|
|
|
|
|
|
|
|
|
LIMITATIONS:
|
|
|
|
|
- only Trusted Admins group members can use this function as it
|
|
|
|
|
uses secret for IPA-Trusted domain link
|
|
|
|
|
- List of group SIDs does not contain group memberships outside
|
|
|
|
|
of the trusted domain
|
|
|
|
|
"""
|
|
|
|
|
components = normalize_name(object_name)
|
|
|
|
|
domain = components.get('domain')
|
|
|
|
|
flatname = components.get('flatname')
|
|
|
|
|
name = components.get('name')
|
|
|
|
|
|
|
|
|
|
is_valid_sid = is_sid_valid(object_name)
|
|
|
|
|
if is_valid_sid:
|
|
|
|
|
# Find a trusted domain for the SID
|
|
|
|
|
domain = self.get_domain_by_sid(object_name)
|
|
|
|
|
# Now search a trusted domain for a user with this SID
|
|
|
|
|
attrs = ['cn']
|
|
|
|
|
filter = '(&(objectClass=user)(objectSid=%(sid)s))' \
|
|
|
|
|
% dict(sid=object_name)
|
|
|
|
|
try:
|
|
|
|
|
entries = self.get_trusted_domain_objects(domain=domain, filter=filter,
|
|
|
|
|
attrs=attrs, scope=_ldap.SCOPE_SUBTREE)
|
|
|
|
|
except errors.NotFound:
|
|
|
|
|
raise errors.NotFound(reason=_('trusted domain user not found'))
|
|
|
|
|
user_dn = entries[0][0]
|
|
|
|
|
elif domain or flatname:
|
|
|
|
|
attrs = ['cn']
|
|
|
|
|
filter = '(&(sAMAccountName=%(name)s)(objectClass=user))' \
|
|
|
|
|
% dict(name=name)
|
|
|
|
|
try:
|
|
|
|
|
entries = self.get_trusted_domain_objects(domain,
|
|
|
|
|
flatname, filter, attrs, _ldap.SCOPE_SUBTREE)
|
|
|
|
|
except errors.NotFound:
|
|
|
|
|
raise errors.NotFound(reason=_('trusted domain user not found'))
|
|
|
|
|
user_dn = entries[0][0]
|
|
|
|
|
else:
|
|
|
|
|
# No domain or realm specified, ambiguous search
|
|
|
|
|
raise errors.ValidationError(name=_('trusted domain object'),
|
|
|
|
|
error= _('Ambiguous search, user domain was not specified'))
|
|
|
|
|
|
|
|
|
|
# Get SIDs of user object and it's groups
|
|
|
|
|
# tokenGroups attribute must be read with a scope BASE for a known user
|
|
|
|
|
# distinguished name to avoid search error
|
|
|
|
|
attrs = ['objectSID', 'tokenGroups']
|
|
|
|
|
filter = "(objectClass=user)"
|
|
|
|
|
entries = self.get_trusted_domain_objects(domain,
|
|
|
|
|
flatname, filter, attrs, _ldap.SCOPE_BASE, user_dn)
|
|
|
|
|
object_sid = self.__sid_to_str(entries[0][1]['objectSid'][0])
|
|
|
|
|
group_sids = [self.__sid_to_str(sid) for sid in entries[0][1]['tokenGroups']]
|
|
|
|
|
return (object_sid, group_sids)
|
|
|
|
|
|
2012-10-31 14:52:12 -05:00
|
|
|
def __sid_to_str(self, sid):
|
|
|
|
|
"""
|
|
|
|
|
Converts binary SID to string representation
|
|
|
|
|
Returns unicode string
|
|
|
|
|
"""
|
|
|
|
|
sid_rev_num = ord(sid[0])
|
|
|
|
|
number_sub_id = ord(sid[1])
|
|
|
|
|
ia = struct.unpack('!Q','\x00\x00'+sid[2:8])[0]
|
|
|
|
|
subs = [
|
|
|
|
|
struct.unpack('<I',sid[8+4*i:12+4*i])[0]
|
|
|
|
|
for i in range(number_sub_id)
|
|
|
|
|
]
|
|
|
|
|
return u'S-%d-%d-%s' % ( sid_rev_num, ia, '-'.join([str(s) for s in subs]),)
|
|
|
|
|
|
|
|
|
|
def __extract_trusted_auth(self, info):
|
|
|
|
|
"""
|
|
|
|
|
Returns in clear trusted domain account credentials
|
|
|
|
|
"""
|
|
|
|
|
clear = None
|
|
|
|
|
auth = drsblobs.trustAuthInOutBlob()
|
|
|
|
|
auth.__ndr_unpack__(info['auth'])
|
|
|
|
|
auth_array = auth.current.array[0]
|
|
|
|
|
if auth_array.AuthType == lsa.TRUST_AUTH_TYPE_CLEAR:
|
|
|
|
|
clear = ''.join(map(chr, auth_array.AuthInfo.password)).decode('utf-16-le')
|
|
|
|
|
return clear
|
|
|
|
|
|
|
|
|
|
def __kinit_as_trusted_account(self, info, password):
|
|
|
|
|
"""
|
|
|
|
|
Initializes ccache with trusted domain account credentials.
|
|
|
|
|
|
|
|
|
|
Applies session code defaults for ccache directory and naming prefix.
|
|
|
|
|
Session code uses krbccache_prefix+<pid>, we use
|
|
|
|
|
krbccache_prefix+<TD>+<domain netbios name> so there is no clash
|
|
|
|
|
|
|
|
|
|
Returns tuple (ccache name, principal) where (None, None) signifes an error
|
|
|
|
|
on ccache initialization
|
|
|
|
|
"""
|
|
|
|
|
ccache_name = os.path.join(krbccache_dir, "%sTD%s" % (krbccache_prefix, info['name'][0]))
|
|
|
|
|
principal = '%s$@%s' % (self.flatname, info['dns_domain'].upper())
|
|
|
|
|
(stdout, stderr, returncode) = ipautil.run(['/usr/bin/kinit', principal],
|
|
|
|
|
env={'KRB5CCNAME':ccache_name},
|
|
|
|
|
stdin=password, raiseonerr=False)
|
|
|
|
|
if returncode == 0:
|
|
|
|
|
return (ccache_name, principal)
|
|
|
|
|
else:
|
2012-11-27 12:31:02 -06:00
|
|
|
if returncode == 1:
|
|
|
|
|
raise errors.ACIError(
|
|
|
|
|
info=_("KDC for %(domain)s denied trust account for IPA domain with a message '%(message)s'") %
|
|
|
|
|
dict(domain=info['dns_domain'],message=stderr.strip()))
|
2012-10-31 14:52:12 -05:00
|
|
|
return (None, None)
|
|
|
|
|
|
2013-01-18 10:28:39 -06:00
|
|
|
def search_in_gc(self, domain, filter, attrs, scope, basedn=None):
|
2012-10-31 14:52:12 -05:00
|
|
|
"""
|
2013-01-18 10:28:39 -06:00
|
|
|
Perform LDAP search in a trusted domain `domain' Global Catalog.
|
|
|
|
|
Returns resulting entries or None
|
2012-10-31 14:52:12 -05:00
|
|
|
"""
|
2013-01-18 10:28:39 -06:00
|
|
|
entries = None
|
2012-10-31 14:52:12 -05:00
|
|
|
sid = None
|
|
|
|
|
info = self.__retrieve_trusted_domain_gc_list(domain)
|
|
|
|
|
if not info:
|
2013-01-18 10:28:39 -06:00
|
|
|
raise errors.ValidationError(name=_('Trust setup'),
|
|
|
|
|
error=_('Cannot retrieve trusted domain GC list'))
|
2012-10-31 14:52:12 -05:00
|
|
|
for (host, port) in info['gc']:
|
2013-01-18 10:28:39 -06:00
|
|
|
entries = self.__search_in_gc(info, host, port, filter, attrs, scope, basedn)
|
|
|
|
|
if entries:
|
2012-10-31 14:52:12 -05:00
|
|
|
break
|
|
|
|
|
|
2013-01-18 10:28:39 -06:00
|
|
|
return entries
|
2012-10-31 14:52:12 -05:00
|
|
|
|
2013-01-18 10:28:39 -06:00
|
|
|
def __search_in_gc(self, info, host, port, filter, attrs, scope, basedn=None):
|
2012-10-31 14:52:12 -05:00
|
|
|
"""
|
2013-01-18 10:28:39 -06:00
|
|
|
Actual search in AD LDAP server, using SASL GSSAPI authentication
|
2012-10-31 14:52:12 -05:00
|
|
|
Returns LDAP result or None
|
|
|
|
|
"""
|
2013-03-07 03:56:49 -06:00
|
|
|
conn = IPAdmin(host=host, port=port, no_schema=True, decode_attrs=False)
|
2012-10-31 14:52:12 -05:00
|
|
|
auth = self.__extract_trusted_auth(info)
|
2013-01-18 10:28:39 -06:00
|
|
|
if attrs is None:
|
|
|
|
|
attrs = []
|
2012-10-31 14:52:12 -05:00
|
|
|
if auth:
|
|
|
|
|
(ccache_name, principal) = self.__kinit_as_trusted_account(info, auth)
|
|
|
|
|
if ccache_name:
|
|
|
|
|
old_ccache = os.environ.get('KRB5CCNAME')
|
|
|
|
|
os.environ["KRB5CCNAME"] = ccache_name
|
|
|
|
|
# OPT_X_SASL_NOCANON is used to avoid hard requirement for PTR
|
|
|
|
|
# records pointing back to the same host name
|
|
|
|
|
conn.set_option(_ldap.OPT_X_SASL_NOCANON, _ldap.OPT_ON)
|
2013-01-29 11:01:36 -06:00
|
|
|
conn.do_sasl_gssapi_bind()
|
2013-01-18 10:28:39 -06:00
|
|
|
if basedn is None:
|
|
|
|
|
# Use domain root base DN
|
|
|
|
|
basedn = DN(*map(lambda p: ('dc', p), info['dns_domain'].split('.')))
|
2013-03-07 03:56:49 -06:00
|
|
|
entries = conn.get_entries(basedn, scope, filter, attrs)
|
2012-10-31 14:52:12 -05:00
|
|
|
os.environ["KRB5CCNAME"] = old_ccache
|
2013-01-18 10:28:39 -06:00
|
|
|
return entries
|
2012-10-31 14:52:12 -05:00
|
|
|
|
|
|
|
|
def __retrieve_trusted_domain_gc_list(self, domain):
|
|
|
|
|
"""
|
|
|
|
|
Retrieves domain information and preferred GC list
|
|
|
|
|
Returns dictionary with following keys
|
|
|
|
|
name -- NetBIOS name of the trusted domain
|
|
|
|
|
dns_domain -- DNS name of the trusted domain
|
|
|
|
|
auth -- encrypted credentials for trusted domain account
|
|
|
|
|
gc -- array of tuples (server, port) for Global Catalog
|
|
|
|
|
"""
|
|
|
|
|
if domain in self._info:
|
|
|
|
|
return self._info[domain]
|
|
|
|
|
|
|
|
|
|
if not self._creds:
|
|
|
|
|
self._parm = param.LoadParm()
|
|
|
|
|
self._parm.load(os.path.join(ipautil.SHARE_DIR,"smb.conf.empty"))
|
|
|
|
|
self._parm.set('netbios name', self.flatname)
|
|
|
|
|
self._creds = credentials.Credentials()
|
|
|
|
|
self._creds.set_kerberos_state(credentials.MUST_USE_KERBEROS)
|
|
|
|
|
self._creds.guess(self._parm)
|
|
|
|
|
self._creds.set_workstation(self.flatname)
|
|
|
|
|
|
|
|
|
|
netrc = net.Net(creds=self._creds, lp=self._parm)
|
|
|
|
|
finddc_error = None
|
|
|
|
|
result = None
|
|
|
|
|
try:
|
|
|
|
|
result = netrc.finddc(domain=domain, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_GC | nbt.NBT_SERVER_CLOSEST)
|
|
|
|
|
except RuntimeError, e:
|
|
|
|
|
finddc_error = e
|
|
|
|
|
|
|
|
|
|
info = dict()
|
|
|
|
|
info['auth'] = self._domains[domain][2]
|
|
|
|
|
servers = []
|
|
|
|
|
if result:
|
|
|
|
|
info['name'] = unicode(result.domain_name)
|
|
|
|
|
info['dns_domain'] = unicode(result.dns_domain)
|
|
|
|
|
servers = [(unicode(result.pdc_dns_name), 3268)]
|
|
|
|
|
else:
|
|
|
|
|
info['name'] = self._domains[domain]
|
|
|
|
|
info['dns_domain'] = domain
|
|
|
|
|
# Retrieve GC servers list
|
|
|
|
|
gc_name = '_gc._tcp.%s.' % info['dns_domain']
|
|
|
|
|
|
|
|
|
|
try:
|
|
|
|
|
answers = resolver.query(gc_name, rdatatype.SRV)
|
|
|
|
|
except DNSException, e:
|
|
|
|
|
answers = []
|
|
|
|
|
|
|
|
|
|
for answer in answers:
|
|
|
|
|
server = str(answer.target).rstrip(".")
|
|
|
|
|
servers.append((server, answer.port))
|
|
|
|
|
|
|
|
|
|
info['gc'] = servers
|
|
|
|
|
|
|
|
|
|
# Both methods should not fail at the same time
|
|
|
|
|
if finddc_error and len(info['gc']) == 0:
|
|
|
|
|
raise assess_dcerpc_exception(message=str(finddc_error))
|
|
|
|
|
|
|
|
|
|
self._info[domain] = info
|
|
|
|
|
return info
|
|
|
|
|
|
|
|
|
|
|
2012-02-28 05:24:41 -06:00
|
|
|
class TrustDomainInstance(object):
|
|
|
|
|
|
|
|
|
|
def __init__(self, hostname, creds=None):
|
|
|
|
|
self.parm = param.LoadParm()
|
|
|
|
|
self.parm.load(os.path.join(ipautil.SHARE_DIR,"smb.conf.empty"))
|
|
|
|
|
if len(hostname) > 0:
|
|
|
|
|
self.parm.set('netbios name', hostname)
|
|
|
|
|
self.creds = creds
|
|
|
|
|
self.hostname = hostname
|
|
|
|
|
self.info = {}
|
|
|
|
|
self._pipe = None
|
|
|
|
|
self._policy_handle = None
|
|
|
|
|
self.read_only = False
|
|
|
|
|
|
|
|
|
|
def __gen_lsa_connection(self, binding):
|
|
|
|
|
if self.creds is None:
|
2012-08-13 08:35:19 -05:00
|
|
|
raise errors.RequirementError(name=_('CIFS credentials object'))
|
2012-02-28 05:24:41 -06:00
|
|
|
try:
|
|
|
|
|
result = lsa.lsarpc(binding, self.parm, self.creds)
|
|
|
|
|
return result
|
2012-08-01 02:14:09 -05:00
|
|
|
except RuntimeError, (num, message):
|
|
|
|
|
raise assess_dcerpc_exception(num=num, message=message)
|
2012-02-28 05:24:41 -06:00
|
|
|
|
|
|
|
|
def __init_lsa_pipe(self, remote_host):
|
|
|
|
|
"""
|
|
|
|
|
Try to initialize connection to the LSA pipe at remote host.
|
|
|
|
|
This method tries consequently all possible transport options
|
|
|
|
|
and selects one that works. See __gen_lsa_bindings() for details.
|
|
|
|
|
|
|
|
|
|
The actual result may depend on details of existing credentials.
|
|
|
|
|
For example, using signing causes NO_SESSION_KEY with Win2K8 and
|
|
|
|
|
using kerberos against Samba with signing does not work.
|
|
|
|
|
"""
|
|
|
|
|
# short-cut: if LSA pipe is initialized, skip completely
|
|
|
|
|
if self._pipe:
|
|
|
|
|
return
|
|
|
|
|
|
2012-08-01 02:14:09 -05:00
|
|
|
attempts = 0
|
2012-02-28 05:24:41 -06:00
|
|
|
bindings = self.__gen_lsa_bindings(remote_host)
|
|
|
|
|
for binding in bindings:
|
2012-08-01 02:14:09 -05:00
|
|
|
try:
|
|
|
|
|
self._pipe = self.__gen_lsa_connection(binding)
|
|
|
|
|
if self._pipe:
|
|
|
|
|
break
|
|
|
|
|
except errors.ACIError, e:
|
|
|
|
|
attempts = attempts + 1
|
|
|
|
|
|
|
|
|
|
if self._pipe is None and attempts == len(bindings):
|
2012-08-13 08:35:19 -05:00
|
|
|
raise errors.ACIError(
|
|
|
|
|
info=_('CIFS server %(host)s denied your credentials') % dict(host=remote_host))
|
2012-08-01 02:14:09 -05:00
|
|
|
|
2012-02-28 05:24:41 -06:00
|
|
|
if self._pipe is None:
|
2012-08-13 08:35:19 -05:00
|
|
|
raise errors.RemoteRetrieveError(
|
|
|
|
|
reason=_('Cannot establish LSA connection to %(host)s. Is CIFS server running?') % dict(host=remote_host))
|
2012-09-13 12:01:55 -05:00
|
|
|
self.binding = binding
|
2012-02-28 05:24:41 -06:00
|
|
|
|
|
|
|
|
def __gen_lsa_bindings(self, remote_host):
|
|
|
|
|
"""
|
|
|
|
|
There are multiple transports to issue LSA calls. However, depending on a
|
|
|
|
|
system in use they may be blocked by local operating system policies.
|
|
|
|
|
Generate all we can use. __init_lsa_pipe() will try them one by one until
|
|
|
|
|
there is one working.
|
|
|
|
|
|
|
|
|
|
We try NCACN_NP before NCACN_IP_TCP and signed sessions before unsigned.
|
|
|
|
|
"""
|
|
|
|
|
transports = (u'ncacn_np', u'ncacn_ip_tcp')
|
|
|
|
|
options = ( u',', u'')
|
|
|
|
|
binding_template=lambda x,y,z: u'%s:%s[%s]' % (x, y, z)
|
|
|
|
|
return [binding_template(t, remote_host, o) for t in transports for o in options]
|
|
|
|
|
|
|
|
|
|
def retrieve_anonymously(self, remote_host, discover_srv=False):
|
|
|
|
|
"""
|
|
|
|
|
When retrieving DC information anonymously, we can't get SID of the domain
|
|
|
|
|
"""
|
|
|
|
|
netrc = net.Net(creds=self.creds, lp=self.parm)
|
2012-08-01 02:14:09 -05:00
|
|
|
try:
|
|
|
|
|
if discover_srv:
|
|
|
|
|
result = netrc.finddc(domain=remote_host, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS)
|
|
|
|
|
else:
|
|
|
|
|
result = netrc.finddc(address=remote_host, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS)
|
|
|
|
|
except RuntimeError, e:
|
|
|
|
|
raise assess_dcerpc_exception(message=str(e))
|
|
|
|
|
|
2012-02-28 05:24:41 -06:00
|
|
|
if not result:
|
|
|
|
|
return False
|
|
|
|
|
self.info['name'] = unicode(result.domain_name)
|
|
|
|
|
self.info['dns_domain'] = unicode(result.dns_domain)
|
|
|
|
|
self.info['dns_forest'] = unicode(result.forest)
|
|
|
|
|
self.info['guid'] = unicode(result.domain_uuid)
|
2012-09-13 12:01:55 -05:00
|
|
|
self.info['dc'] = unicode(result.pdc_dns_name)
|
2012-02-28 05:24:41 -06:00
|
|
|
|
|
|
|
|
# Netlogon response doesn't contain SID of the domain.
|
|
|
|
|
# We need to do rootDSE search with LDAP_SERVER_EXTENDED_DN_OID control to reveal the SID
|
2012-03-21 07:51:50 -05:00
|
|
|
ldap_uri = 'ldap://%s' % (result.pdc_dns_name)
|
2012-02-28 05:24:41 -06:00
|
|
|
conn = _ldap.initialize(ldap_uri)
|
|
|
|
|
conn.set_option(_ldap.OPT_SERVER_CONTROLS, [ExtendedDNControl()])
|
|
|
|
|
result = None
|
|
|
|
|
try:
|
|
|
|
|
(objtype, res) = conn.search_s('', _ldap.SCOPE_BASE)[0]
|
|
|
|
|
result = res['defaultNamingContext'][0]
|
|
|
|
|
self.info['dns_hostname'] = res['dnsHostName'][0]
|
|
|
|
|
except _ldap.LDAPError, e:
|
2012-08-13 08:35:19 -05:00
|
|
|
root_logger.error(
|
|
|
|
|
"LDAP error when connecting to %(host)s: %(error)s" %
|
|
|
|
|
dict(host=unicode(result.pdc_name), error=str(e)))
|
2012-02-28 05:24:41 -06:00
|
|
|
|
|
|
|
|
if result:
|
|
|
|
|
self.info['sid'] = self.parse_naming_context(result)
|
|
|
|
|
return True
|
|
|
|
|
|
|
|
|
|
def parse_naming_context(self, context):
|
|
|
|
|
naming_ref = re.compile('.*<SID=(S-.*)>.*')
|
|
|
|
|
return naming_ref.match(context).group(1)
|
|
|
|
|
|
|
|
|
|
def retrieve(self, remote_host):
|
|
|
|
|
self.__init_lsa_pipe(remote_host)
|
|
|
|
|
|
|
|
|
|
objectAttribute = lsa.ObjectAttribute()
|
|
|
|
|
objectAttribute.sec_qos = lsa.QosInfo()
|
2012-08-01 02:14:09 -05:00
|
|
|
try:
|
|
|
|
|
self._policy_handle = self._pipe.OpenPolicy2(u"", objectAttribute, security.SEC_FLAG_MAXIMUM_ALLOWED)
|
|
|
|
|
result = self._pipe.QueryInfoPolicy2(self._policy_handle, lsa.LSA_POLICY_INFO_DNS)
|
|
|
|
|
except RuntimeError, (num, message):
|
|
|
|
|
raise assess_dcerpc_exception(num=num, message=message)
|
|
|
|
|
|
2012-02-28 05:24:41 -06:00
|
|
|
self.info['name'] = unicode(result.name.string)
|
|
|
|
|
self.info['dns_domain'] = unicode(result.dns_domain.string)
|
|
|
|
|
self.info['dns_forest'] = unicode(result.dns_forest.string)
|
|
|
|
|
self.info['guid'] = unicode(result.domain_guid)
|
|
|
|
|
self.info['sid'] = unicode(result.sid)
|
2012-09-13 12:01:55 -05:00
|
|
|
self.info['dc'] = remote_host
|
2012-02-28 05:24:41 -06:00
|
|
|
|
|
|
|
|
def generate_auth(self, trustdom_secret):
|
|
|
|
|
def arcfour_encrypt(key, data):
|
2012-11-21 10:33:49 -06:00
|
|
|
c = RC4.RC4(key)
|
|
|
|
|
return c.update(data)
|
2012-02-28 05:24:41 -06:00
|
|
|
def string_to_array(what):
|
|
|
|
|
blob = [0] * len(what)
|
|
|
|
|
|
|
|
|
|
for i in range(len(what)):
|
|
|
|
|
blob[i] = ord(what[i])
|
|
|
|
|
return blob
|
|
|
|
|
|
|
|
|
|
password_blob = string_to_array(trustdom_secret.encode('utf-16-le'))
|
|
|
|
|
|
|
|
|
|
clear_value = drsblobs.AuthInfoClear()
|
|
|
|
|
clear_value.size = len(password_blob)
|
|
|
|
|
clear_value.password = password_blob
|
|
|
|
|
|
|
|
|
|
clear_authentication_information = drsblobs.AuthenticationInformation()
|
|
|
|
|
clear_authentication_information.LastUpdateTime = samba.unix2nttime(int(time.time()))
|
|
|
|
|
clear_authentication_information.AuthType = lsa.TRUST_AUTH_TYPE_CLEAR
|
|
|
|
|
clear_authentication_information.AuthInfo = clear_value
|
|
|
|
|
|
|
|
|
|
authentication_information_array = drsblobs.AuthenticationInformationArray()
|
|
|
|
|
authentication_information_array.count = 1
|
|
|
|
|
authentication_information_array.array = [clear_authentication_information]
|
|
|
|
|
|
|
|
|
|
outgoing = drsblobs.trustAuthInOutBlob()
|
|
|
|
|
outgoing.count = 1
|
|
|
|
|
outgoing.current = authentication_information_array
|
|
|
|
|
|
|
|
|
|
confounder = [3]*512
|
|
|
|
|
for i in range(512):
|
|
|
|
|
confounder[i] = random.randint(0, 255)
|
|
|
|
|
|
|
|
|
|
trustpass = drsblobs.trustDomainPasswords()
|
|
|
|
|
trustpass.confounder = confounder
|
|
|
|
|
|
|
|
|
|
trustpass.outgoing = outgoing
|
|
|
|
|
trustpass.incoming = outgoing
|
|
|
|
|
|
|
|
|
|
trustpass_blob = ndr_pack(trustpass)
|
|
|
|
|
|
|
|
|
|
encrypted_trustpass = arcfour_encrypt(self._pipe.session_key, trustpass_blob)
|
|
|
|
|
|
|
|
|
|
auth_blob = lsa.DATA_BUF2()
|
|
|
|
|
auth_blob.size = len(encrypted_trustpass)
|
|
|
|
|
auth_blob.data = string_to_array(encrypted_trustpass)
|
|
|
|
|
|
|
|
|
|
auth_info = lsa.TrustDomainInfoAuthInfoInternal()
|
|
|
|
|
auth_info.auth_blob = auth_blob
|
|
|
|
|
self.auth_info = auth_info
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def establish_trust(self, another_domain, trustdom_secret):
|
|
|
|
|
"""
|
|
|
|
|
Establishes trust between our and another domain
|
|
|
|
|
Input: another_domain -- instance of TrustDomainInstance, initialized with #retrieve call
|
|
|
|
|
trustdom_secret -- shared secred used for the trust
|
|
|
|
|
"""
|
|
|
|
|
self.generate_auth(trustdom_secret)
|
|
|
|
|
|
|
|
|
|
info = lsa.TrustDomainInfoInfoEx()
|
|
|
|
|
info.domain_name.string = another_domain.info['dns_domain']
|
|
|
|
|
info.netbios_name.string = another_domain.info['name']
|
|
|
|
|
info.sid = security.dom_sid(another_domain.info['sid'])
|
|
|
|
|
info.trust_direction = lsa.LSA_TRUST_DIRECTION_INBOUND | lsa.LSA_TRUST_DIRECTION_OUTBOUND
|
|
|
|
|
info.trust_type = lsa.LSA_TRUST_TYPE_UPLEVEL
|
2012-10-05 10:25:29 -05:00
|
|
|
info.trust_attributes = lsa.LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
|
2012-02-28 05:24:41 -06:00
|
|
|
|
2013-01-11 09:33:43 -06:00
|
|
|
if self.info['name'] == info.netbios_name.string:
|
|
|
|
|
# Check that NetBIOS names do not clash
|
|
|
|
|
raise errors.ValidationError(name=u'AD Trust Setup',
|
|
|
|
|
error=_('the IPA server and the remote domain cannot share the same '
|
|
|
|
|
'NetBIOS name: %s') % self.info['name'])
|
|
|
|
|
|
2012-02-28 05:24:41 -06:00
|
|
|
try:
|
|
|
|
|
dname = lsa.String()
|
|
|
|
|
dname.string = another_domain.info['dns_domain']
|
|
|
|
|
res = self._pipe.QueryTrustedDomainInfoByName(self._policy_handle, dname, lsa.LSA_TRUSTED_DOMAIN_INFO_FULL_INFO)
|
|
|
|
|
self._pipe.DeleteTrustedDomain(self._policy_handle, res.info_ex.sid)
|
2012-08-01 02:14:09 -05:00
|
|
|
except RuntimeError, e:
|
2012-02-28 05:24:41 -06:00
|
|
|
pass
|
2012-08-01 02:14:09 -05:00
|
|
|
try:
|
2012-09-26 17:34:57 -05:00
|
|
|
trustdom_handle = self._pipe.CreateTrustedDomainEx2(self._policy_handle, info, self.auth_info, security.SEC_STD_DELETE)
|
2012-08-01 02:14:09 -05:00
|
|
|
except RuntimeError, (num, message):
|
|
|
|
|
raise assess_dcerpc_exception(num=num, message=message)
|
2012-02-28 05:24:41 -06:00
|
|
|
|
2012-09-26 17:34:57 -05:00
|
|
|
try:
|
|
|
|
|
infoclass = lsa.TrustDomainInfoSupportedEncTypes()
|
|
|
|
|
infoclass.enc_types = security.KERB_ENCTYPE_RC4_HMAC_MD5
|
|
|
|
|
infoclass.enc_types |= security.KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96
|
|
|
|
|
infoclass.enc_types |= security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96
|
|
|
|
|
self._pipe.SetInformationTrustedDomain(trustdom_handle, lsa.LSA_TRUSTED_DOMAIN_SUPPORTED_ENCRYPTION_TYPES, infoclass)
|
|
|
|
|
except RuntimeError, e:
|
|
|
|
|
pass
|
|
|
|
|
|
2012-09-13 12:01:55 -05:00
|
|
|
def verify_trust(self, another_domain):
|
|
|
|
|
def retrieve_netlogon_info_2(domain, function_code, data):
|
|
|
|
|
try:
|
|
|
|
|
netr_pipe = netlogon.netlogon(domain.binding, domain.parm, domain.creds)
|
|
|
|
|
result = netr_pipe.netr_LogonControl2Ex(logon_server=None,
|
|
|
|
|
function_code=function_code,
|
|
|
|
|
level=2,
|
|
|
|
|
data=data
|
|
|
|
|
)
|
|
|
|
|
return result
|
|
|
|
|
except RuntimeError, (num, message):
|
|
|
|
|
raise assess_dcerpc_exception(num=num, message=message)
|
|
|
|
|
|
|
|
|
|
result = retrieve_netlogon_info_2(self,
|
|
|
|
|
netlogon.NETLOGON_CONTROL_TC_VERIFY,
|
|
|
|
|
another_domain.info['dns_domain'])
|
2012-09-25 09:25:42 -05:00
|
|
|
if (result and (result.flags and netlogon.NETLOGON_VERIFY_STATUS_RETURNED)):
|
|
|
|
|
# netr_LogonControl2Ex() returns non-None result only if overall call
|
|
|
|
|
# result was WERR_OK which means verification was correct.
|
|
|
|
|
# We only check that it was indeed status for verification process
|
2012-09-13 12:01:55 -05:00
|
|
|
return True
|
|
|
|
|
return False
|
|
|
|
|
|
2012-02-28 05:24:41 -06:00
|
|
|
class TrustDomainJoins(object):
|
|
|
|
|
def __init__(self, api):
|
|
|
|
|
self.api = api
|
|
|
|
|
self.local_domain = None
|
|
|
|
|
self.remote_domain = None
|
|
|
|
|
|
2012-06-20 08:08:33 -05:00
|
|
|
domain_validator = DomainValidator(api)
|
|
|
|
|
self.configured = domain_validator.is_configured()
|
2012-02-28 05:24:41 -06:00
|
|
|
|
2012-06-20 08:08:33 -05:00
|
|
|
if self.configured:
|
|
|
|
|
self.local_flatname = domain_validator.flatname
|
|
|
|
|
self.local_dn = domain_validator.dn
|
|
|
|
|
self.__populate_local_domain()
|
2012-02-28 05:24:41 -06:00
|
|
|
|
|
|
|
|
def __populate_local_domain(self):
|
|
|
|
|
# Initialize local domain info using kerberos only
|
|
|
|
|
ld = TrustDomainInstance(self.local_flatname)
|
|
|
|
|
ld.creds = credentials.Credentials()
|
|
|
|
|
ld.creds.set_kerberos_state(credentials.MUST_USE_KERBEROS)
|
|
|
|
|
ld.creds.guess(ld.parm)
|
|
|
|
|
ld.creds.set_workstation(ld.hostname)
|
2012-05-15 12:10:28 -05:00
|
|
|
ld.retrieve(installutils.get_fqdn())
|
2012-02-28 05:24:41 -06:00
|
|
|
self.local_domain = ld
|
|
|
|
|
|
|
|
|
|
def __populate_remote_domain(self, realm, realm_server=None, realm_admin=None, realm_passwd=None):
|
|
|
|
|
def get_instance(self):
|
|
|
|
|
# Fetch data from foreign domain using password only
|
|
|
|
|
rd = TrustDomainInstance('')
|
|
|
|
|
rd.parm.set('workgroup', self.local_domain.info['name'])
|
|
|
|
|
rd.creds = credentials.Credentials()
|
|
|
|
|
rd.creds.set_kerberos_state(credentials.DONT_USE_KERBEROS)
|
|
|
|
|
rd.creds.guess(rd.parm)
|
|
|
|
|
return rd
|
|
|
|
|
|
|
|
|
|
rd = get_instance(self)
|
|
|
|
|
rd.creds.set_anonymous()
|
|
|
|
|
rd.creds.set_workstation(self.local_domain.hostname)
|
|
|
|
|
if realm_server is None:
|
|
|
|
|
rd.retrieve_anonymously(realm, discover_srv=True)
|
|
|
|
|
else:
|
|
|
|
|
rd.retrieve_anonymously(realm_server, discover_srv=False)
|
|
|
|
|
rd.read_only = True
|
|
|
|
|
if realm_admin and realm_passwd:
|
|
|
|
|
if 'name' in rd.info:
|
2012-07-16 05:12:42 -05:00
|
|
|
names = realm_admin.split('\\')
|
|
|
|
|
if len(names) > 1:
|
|
|
|
|
# realm admin is in DOMAIN\user format
|
|
|
|
|
# strip DOMAIN part as we'll enforce the one discovered
|
|
|
|
|
realm_admin = names[-1]
|
2012-02-28 05:24:41 -06:00
|
|
|
auth_string = u"%s\%s%%%s" % (rd.info['name'], realm_admin, realm_passwd)
|
|
|
|
|
td = get_instance(self)
|
|
|
|
|
td.creds.parse_string(auth_string)
|
|
|
|
|
td.creds.set_workstation(self.local_domain.hostname)
|
|
|
|
|
if realm_server is None:
|
|
|
|
|
# we must have rd.info['dns_hostname'] then, part of anonymous discovery
|
|
|
|
|
td.retrieve(rd.info['dns_hostname'])
|
|
|
|
|
else:
|
|
|
|
|
td.retrieve(realm_server)
|
|
|
|
|
td.read_only = False
|
|
|
|
|
self.remote_domain = td
|
|
|
|
|
return
|
|
|
|
|
# Otherwise, use anonymously obtained data
|
|
|
|
|
self.remote_domain = rd
|
|
|
|
|
|
|
|
|
|
def join_ad_full_credentials(self, realm, realm_server, realm_admin, realm_passwd):
|
2012-06-20 08:08:33 -05:00
|
|
|
if not self.configured:
|
|
|
|
|
return None
|
|
|
|
|
|
2012-02-28 05:24:41 -06:00
|
|
|
self.__populate_remote_domain(realm, realm_server, realm_admin, realm_passwd)
|
|
|
|
|
if not self.remote_domain.read_only:
|
|
|
|
|
trustdom_pass = samba.generate_random_password(128, 128)
|
|
|
|
|
self.remote_domain.establish_trust(self.local_domain, trustdom_pass)
|
|
|
|
|
self.local_domain.establish_trust(self.remote_domain, trustdom_pass)
|
2012-09-13 12:01:55 -05:00
|
|
|
result = self.remote_domain.verify_trust(self.local_domain)
|
|
|
|
|
return dict(local=self.local_domain, remote=self.remote_domain, verified=result)
|
2012-02-28 05:24:41 -06:00
|
|
|
return None
|
|
|
|
|
|
|
|
|
|
def join_ad_ipa_half(self, realm, realm_server, trustdom_passwd):
|
2012-06-20 08:08:33 -05:00
|
|
|
if not self.configured:
|
|
|
|
|
return None
|
|
|
|
|
|
2012-02-28 05:24:41 -06:00
|
|
|
self.__populate_remote_domain(realm, realm_server, realm_passwd=None)
|
|
|
|
|
self.local_domain.establish_trust(self.remote_domain, trustdom_passwd)
|
2012-09-13 12:01:55 -05:00
|
|
|
return dict(local=self.local_domain, remote=self.remote_domain, verified=False)
|
