mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
trust: integrate subdomains support into trust-add
This commit is contained in:
Alexander Bokovoy
committed by
Martin Kosek
Martin Kosek
parent
a87813bf42
commit
f734988e24
@@ -345,7 +345,20 @@ sides.
|
||||
base_dn = DN(api.env.container_trusts, api.env.basedn),
|
||||
filter = trust_filter)
|
||||
|
||||
|
||||
result['result'] = entry_to_dict(trusts[0][1], **options)
|
||||
if options.get('trust_type') == u'ad':
|
||||
domains = fetch_domains_from_trust(self, self.trustinstance, result['result'], **options)
|
||||
if domains and len(domains) > 0:
|
||||
for dom in domains:
|
||||
range_name = dom['cn'][0].upper() + '_id_range'
|
||||
range_type=options.get('range_type', u'ipa-ad-trust')
|
||||
dom_sid = dom['ipanttrusteddomainsid'][0]
|
||||
try:
|
||||
self.add_range(range_name, dom_sid, range_type=range_type)
|
||||
except errors.DuplicateEntry:
|
||||
pass
|
||||
|
||||
result['result']['trusttype'] = [trust_type_string(result['result']['ipanttrusttype'][0])]
|
||||
result['result']['trustdirection'] = [trust_direction_string(result['result']['ipanttrustdirection'][0])]
|
||||
result['result']['truststatus'] = [trust_status_string(result['verified'])]
|
||||
@@ -446,7 +459,7 @@ sides.
|
||||
except errors.NotFound:
|
||||
old_range = None
|
||||
|
||||
if options.get('type') == u'ad':
|
||||
if options.get('trust_type') == u'ad':
|
||||
if range_type and range_type not in (u'ipa-ad-trust',
|
||||
u'ipa-ad-trust-posix'):
|
||||
raise errors.ValidationError(
|
||||
@@ -1179,9 +1192,13 @@ class trustdomain_del(LDAPDelete):
|
||||
api.register(trustdomain_del)
|
||||
|
||||
|
||||
def fetch_domains_from_trust(self, trustinstance, trust_entry):
|
||||
def fetch_domains_from_trust(self, trustinstance, trust_entry, **options):
|
||||
trust_name = trust_entry['cn'][0]
|
||||
domains = ipaserver.dcerpc.fetch_domains(self.api, trustinstance.local_flatname, trust_name)
|
||||
creds = None
|
||||
password = options.get('realm_password', None)
|
||||
if password:
|
||||
creds = u"%s%%%s" % (options.get('realm_admin'), password)
|
||||
domains = ipaserver.dcerpc.fetch_domains(self.api, trustinstance.local_flatname, trust_name, creds=creds)
|
||||
result = []
|
||||
if not domains:
|
||||
return None
|
||||
|
||||
@@ -939,7 +939,8 @@ class TrustDomainInstance(object):
|
||||
return True
|
||||
return False
|
||||
|
||||
def fetch_domains(api, mydomain, trustdomain):
|
||||
|
||||
def fetch_domains(api, mydomain, trustdomain, creds=None):
|
||||
trust_flags = dict(
|
||||
NETR_TRUST_FLAG_IN_FOREST = 0x00000001,
|
||||
NETR_TRUST_FLAG_OUTBOUND = 0x00000002,
|
||||
@@ -959,38 +960,51 @@ def fetch_domains(api, mydomain, trustdomain):
|
||||
NETR_TRUST_ATTRIBUTE_WITHIN_FOREST = 0x00000020,
|
||||
NETR_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL = 0x00000040)
|
||||
|
||||
domval = DomainValidator(api)
|
||||
(ccache_name, principal) = domval.kinit_as_http(trustdomain)
|
||||
if ccache_name:
|
||||
with installutils.private_ccache(path=ccache_name):
|
||||
td = TrustDomainInstance('')
|
||||
td.parm.set('workgroup', mydomain)
|
||||
td.creds = credentials.Credentials()
|
||||
td.creds.set_kerberos_state(credentials.MUST_USE_KERBEROS)
|
||||
td.creds.guess(td.parm)
|
||||
netrc = net.Net(creds=td.creds, lp=td.parm)
|
||||
try:
|
||||
result = netrc.finddc(domain=trustdomain, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS)
|
||||
except RuntimeError, e:
|
||||
raise assess_dcerpc_exception(message=str(e))
|
||||
if not result:
|
||||
return None
|
||||
td.retrieve(unicode(result.pdc_dns_name))
|
||||
def communicate(td):
|
||||
td.creds.guess(td.parm)
|
||||
netrc = net.Net(creds=td.creds, lp=td.parm)
|
||||
try:
|
||||
result = netrc.finddc(domain=trustdomain, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS)
|
||||
except RuntimeError, e:
|
||||
raise assess_dcerpc_exception(message=str(e))
|
||||
if not result:
|
||||
return None
|
||||
td.retrieve(unicode(result.pdc_dns_name))
|
||||
|
||||
netr_pipe = netlogon.netlogon(td.binding, td.parm, td.creds)
|
||||
domains = netr_pipe.netr_DsrEnumerateDomainTrusts(td.binding, 1)
|
||||
netr_pipe = netlogon.netlogon(td.binding, td.parm, td.creds)
|
||||
domains = netr_pipe.netr_DsrEnumerateDomainTrusts(td.binding, 1)
|
||||
return domains
|
||||
|
||||
result = []
|
||||
for t in domains.array:
|
||||
if ((t.trust_attributes & trust_attributes['NETR_TRUST_ATTRIBUTE_WITHIN_FOREST']) and
|
||||
(t.trust_flags & trust_flags['NETR_TRUST_FLAG_IN_FOREST'])):
|
||||
res = dict()
|
||||
res['cn'] = unicode(t.dns_name)
|
||||
res['ipantflatname'] = unicode(t.netbios_name)
|
||||
res['ipanttrusteddomainsid'] = unicode(t.sid)
|
||||
res['ipanttrustpartner'] = res['cn']
|
||||
result.append(res)
|
||||
return result
|
||||
domains = None
|
||||
td = TrustDomainInstance('')
|
||||
td.parm.set('workgroup', mydomain)
|
||||
td.creds = credentials.Credentials()
|
||||
if creds is None:
|
||||
domval = DomainValidator(api)
|
||||
(ccache_name, principal) = domval.kinit_as_http(trustdomain)
|
||||
td.creds.set_kerberos_state(credentials.MUST_USE_KERBEROS)
|
||||
if ccache_name:
|
||||
with installutils.private_ccache(path=ccache_name):
|
||||
domains = communicate(td)
|
||||
else:
|
||||
td.creds.set_kerberos_state(credentials.DONT_USE_KERBEROS)
|
||||
td.creds.parse_string(creds)
|
||||
domains = communicate(td)
|
||||
|
||||
if domains is None:
|
||||
return None
|
||||
|
||||
result = []
|
||||
for t in domains.array:
|
||||
if ((t.trust_attributes & trust_attributes['NETR_TRUST_ATTRIBUTE_WITHIN_FOREST']) and
|
||||
(t.trust_flags & trust_flags['NETR_TRUST_FLAG_IN_FOREST'])):
|
||||
res = dict()
|
||||
res['cn'] = unicode(t.dns_name)
|
||||
res['ipantflatname'] = unicode(t.netbios_name)
|
||||
res['ipanttrusteddomainsid'] = unicode(t.sid)
|
||||
res['ipanttrustpartner'] = res['cn']
|
||||
result.append(res)
|
||||
return result
|
||||
|
||||
|
||||
class TrustDomainJoins(object):
|
||||
|
||||
Reference in New Issue
Block a user