diff options
| -rw-r--r-- | ipalib/plugins/trust.py | 23 | ||||
| -rw-r--r-- | ipaserver/dcerpc.py | 80 |
2 files changed, 67 insertions, 36 deletions
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 9ba1f562b..f5cb1e756 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -345,7 +345,20 @@ sides. base_dn = DN(api.env.container_trusts, api.env.basedn), filter = trust_filter) + result['result'] = entry_to_dict(trusts[0][1], **options) + if options.get('trust_type') == u'ad': + domains = fetch_domains_from_trust(self, self.trustinstance, result['result'], **options) + if domains and len(domains) > 0: + for dom in domains: + range_name = dom['cn'][0].upper() + '_id_range' + range_type=options.get('range_type', u'ipa-ad-trust') + dom_sid = dom['ipanttrusteddomainsid'][0] + try: + self.add_range(range_name, dom_sid, range_type=range_type) + except errors.DuplicateEntry: + pass + result['result']['trusttype'] = [trust_type_string(result['result']['ipanttrusttype'][0])] result['result']['trustdirection'] = [trust_direction_string(result['result']['ipanttrustdirection'][0])] result['result']['truststatus'] = [trust_status_string(result['verified'])] @@ -446,7 +459,7 @@ sides. except errors.NotFound: old_range = None - if options.get('type') == u'ad': + if options.get('trust_type') == u'ad': if range_type and range_type not in (u'ipa-ad-trust', u'ipa-ad-trust-posix'): raise errors.ValidationError( @@ -1179,9 +1192,13 @@ class trustdomain_del(LDAPDelete): api.register(trustdomain_del) -def fetch_domains_from_trust(self, trustinstance, trust_entry): +def fetch_domains_from_trust(self, trustinstance, trust_entry, **options): trust_name = trust_entry['cn'][0] - domains = ipaserver.dcerpc.fetch_domains(self.api, trustinstance.local_flatname, trust_name) + creds = None + password = options.get('realm_password', None) + if password: + creds = u"%s%%%s" % (options.get('realm_admin'), password) + domains = ipaserver.dcerpc.fetch_domains(self.api, trustinstance.local_flatname, trust_name, creds=creds) result = [] if not domains: return None diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 2b0da45b1..86bb42884 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -939,7 +939,8 @@ class TrustDomainInstance(object): return True return False -def fetch_domains(api, mydomain, trustdomain): + +def fetch_domains(api, mydomain, trustdomain, creds=None): trust_flags = dict( NETR_TRUST_FLAG_IN_FOREST = 0x00000001, NETR_TRUST_FLAG_OUTBOUND = 0x00000002, @@ -959,38 +960,51 @@ def fetch_domains(api, mydomain, trustdomain): NETR_TRUST_ATTRIBUTE_WITHIN_FOREST = 0x00000020, NETR_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL = 0x00000040) - domval = DomainValidator(api) - (ccache_name, principal) = domval.kinit_as_http(trustdomain) - if ccache_name: - with installutils.private_ccache(path=ccache_name): - td = TrustDomainInstance('') - td.parm.set('workgroup', mydomain) - td.creds = credentials.Credentials() - td.creds.set_kerberos_state(credentials.MUST_USE_KERBEROS) - td.creds.guess(td.parm) - netrc = net.Net(creds=td.creds, lp=td.parm) - try: - result = netrc.finddc(domain=trustdomain, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS) - except RuntimeError, e: - raise assess_dcerpc_exception(message=str(e)) - if not result: - return None - td.retrieve(unicode(result.pdc_dns_name)) - - netr_pipe = netlogon.netlogon(td.binding, td.parm, td.creds) - domains = netr_pipe.netr_DsrEnumerateDomainTrusts(td.binding, 1) - - result = [] - for t in domains.array: - if ((t.trust_attributes & trust_attributes['NETR_TRUST_ATTRIBUTE_WITHIN_FOREST']) and - (t.trust_flags & trust_flags['NETR_TRUST_FLAG_IN_FOREST'])): - res = dict() - res['cn'] = unicode(t.dns_name) - res['ipantflatname'] = unicode(t.netbios_name) - res['ipanttrusteddomainsid'] = unicode(t.sid) - res['ipanttrustpartner'] = res['cn'] - result.append(res) - return result + def communicate(td): + td.creds.guess(td.parm) + netrc = net.Net(creds=td.creds, lp=td.parm) + try: + result = netrc.finddc(domain=trustdomain, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS) + except RuntimeError, e: + raise assess_dcerpc_exception(message=str(e)) + if not result: + return None + td.retrieve(unicode(result.pdc_dns_name)) + + netr_pipe = netlogon.netlogon(td.binding, td.parm, td.creds) + domains = netr_pipe.netr_DsrEnumerateDomainTrusts(td.binding, 1) + return domains + + domains = None + td = TrustDomainInstance('') + td.parm.set('workgroup', mydomain) + td.creds = credentials.Credentials() + if creds is None: + domval = DomainValidator(api) + (ccache_name, principal) = domval.kinit_as_http(trustdomain) + td.creds.set_kerberos_state(credentials.MUST_USE_KERBEROS) + if ccache_name: + with installutils.private_ccache(path=ccache_name): + domains = communicate(td) + else: + td.creds.set_kerberos_state(credentials.DONT_USE_KERBEROS) + td.creds.parse_string(creds) + domains = communicate(td) + + if domains is None: + return None + + result = [] + for t in domains.array: + if ((t.trust_attributes & trust_attributes['NETR_TRUST_ATTRIBUTE_WITHIN_FOREST']) and + (t.trust_flags & trust_flags['NETR_TRUST_FLAG_IN_FOREST'])): + res = dict() + res['cn'] = unicode(t.dns_name) + res['ipantflatname'] = unicode(t.netbios_name) + res['ipanttrusteddomainsid'] = unicode(t.sid) + res['ipanttrustpartner'] = res['cn'] + result.append(res) + return result class TrustDomainJoins(object): |