diff options
Diffstat (limited to 'ipaserver/dcerpc.py')
-rw-r--r-- | ipaserver/dcerpc.py | 42 |
1 files changed, 28 insertions, 14 deletions
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 0dde3473..d809c416 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -655,7 +655,7 @@ class TrustDomainInstance(object): except RuntimeError, (num, message): raise assess_dcerpc_exception(num=num, message=message) - def __init_lsa_pipe(self, remote_host): + def init_lsa_pipe(self, remote_host): """ Try to initialize connection to the LSA pipe at remote host. This method tries consequently all possible transport options @@ -692,7 +692,7 @@ class TrustDomainInstance(object): """ There are multiple transports to issue LSA calls. However, depending on a system in use they may be blocked by local operating system policies. - Generate all we can use. __init_lsa_pipe() will try them one by one until + Generate all we can use. init_lsa_pipe() will try them one by one until there is one working. We try NCACN_NP before NCACN_IP_TCP and signed sessions before unsigned. @@ -753,7 +753,7 @@ class TrustDomainInstance(object): return naming_ref.match(context).group(1) def retrieve(self, remote_host): - self.__init_lsa_pipe(remote_host) + self.init_lsa_pipe(remote_host) objectAttribute = lsa.ObjectAttribute() objectAttribute.sec_qos = lsa.QosInfo() @@ -964,34 +964,48 @@ def fetch_domains(api, mydomain, trustdomain, creds=None): NETR_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL = 0x00000040) def communicate(td): - td.creds.guess(td.parm) - netrc = net.Net(creds=td.creds, lp=td.parm) - try: - result = netrc.finddc(domain=trustdomain, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS) - except RuntimeError, e: - raise assess_dcerpc_exception(message=str(e)) - if not result: - return None - td.retrieve(unicode(result.pdc_dns_name)) - + td.init_lsa_pipe(td.info['dc']) netr_pipe = netlogon.netlogon(td.binding, td.parm, td.creds) domains = netr_pipe.netr_DsrEnumerateDomainTrusts(td.binding, 1) return domains domains = None + domain_validator = DomainValidator(api) + configured = domain_validator.is_configured() + if not configured: + return None + td = TrustDomainInstance('') td.parm.set('workgroup', mydomain) - td.creds = credentials.Credentials() + cr = credentials.Credentials() + cr.set_kerberos_state(credentials.DONT_USE_KERBEROS) + cr.guess(td.parm) + cr.set_anonymous() + cr.set_workstation(domain_validator.flatname) + netrc = net.Net(creds=cr, lp=td.parm) + try: + result = netrc.finddc(domain=trustdomain, + flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS) + except RuntimeError, e: + raise assess_dcerpc_exception(message=str(e)) + + td.info['dc'] = unicode(result.pdc_dns_name) if creds is None: domval = DomainValidator(api) (ccache_name, principal) = domval.kinit_as_http(trustdomain) + td.creds = credentials.Credentials() td.creds.set_kerberos_state(credentials.MUST_USE_KERBEROS) if ccache_name: with installutils.private_ccache(path=ccache_name): + td.creds.guess(td.parm) + td.creds.set_workstation(domain_validator.flatname) domains = communicate(td) else: + td.creds = credentials.Credentials() td.creds.set_kerberos_state(credentials.DONT_USE_KERBEROS) + td.creds.guess(td.parm) td.creds.parse_string(creds) + td.creds.set_workstation(domain_validator.flatname) domains = communicate(td) if domains is None: |