URL: https://github.com/freeipa/freeipa/pull/1294
Author: abbra
Title: #1294: Trust avoid mitkrb trust
Action: opened
PR body:
"""
Quite often users choose wrong type of trust on Active Directory side
when setting up a trust to freeIPA. The trust type supported by freeIPA
is just a normal forest trust to another Active Directory. However,
some people follow old internet recipes that force using a trust to MIT
Kerberos realm.
This is a wrong type of trust. Unfortunately, when someone used MIT
Kerberos realm trust, there is no way to programmatically remote the
trust from freeIPA side. As result, we have to detect such situation and
report an error.
To do proper reporting, we need reuse some constants and trust type
names we use in IPA CLI/Web UI. These common components were moved to
a separate ipaserver/dcerpc_common.py module that is imported by both
ipaserver/plugins/trust.py and ipaserver/dcerpc.py.
Fixes https://pagure.io/freeipa/issue/7264
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1294/head:pr1294
git checkout pr1294
From 3a656c12f37c9e7da19876b8a9ed2097ff1b065e Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Thu, 9 Nov 2017 09:57:47 +0200
Subject: [PATCH 1/3] ipaserver/plugins/trust.py; fix some indenting issues
---
ipaserver/plugins/trust.py | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py
index 0ef290ce6a..f90aaa41f7 100644
--- a/ipaserver/plugins/trust.py
+++ b/ipaserver/plugins/trust.py
@@ -318,15 +318,17 @@ def generate_creds(trustinstance, style, **options):
elif style == CRED_STYLE_KERBEROS:
sp = admin_name.split('\\')
if len(sp) > 1:
- sp = [sp[1]]
+ sp = [sp[1]]
else:
- sp = admin_name.split(sep)
+ sp = admin_name.split(sep)
if len(sp) == 1:
- sp.append(trustinstance.remote_domain.info['dns_domain'].upper())
+ sp.append(trustinstance.remote_domain
+ .info['dns_domain'].upper())
creds = u"{name}%{password}".format(name=sep.join(sp),
password=password)
return creds
+
def add_range(myapi, trustinstance, range_name, dom_sid, *keys, **options):
"""
First, we try to derive the parameters of the ID range based on the
@@ -357,7 +359,7 @@ def add_range(myapi, trustinstance, range_name, dom_sid, *keys, **options):
# CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System
info_filter = '(objectClass=msSFU30DomainInfo)'
info_dn = DN('CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System')\
- + basedn
+ + basedn
# Get the domain validator
domain_validator = ipaserver.dcerpc.DomainValidator(myapi)
@@ -405,7 +407,7 @@ def add_range(myapi, trustinstance, range_name, dom_sid, *keys, **options):
base_id = int(info.get('msSFU30OrderNumber')[0])
range_size = (1 + (max_id - base_id) // DEFAULT_RANGE_SIZE)\
- * DEFAULT_RANGE_SIZE
+ * DEFAULT_RANGE_SIZE
# Second, options given via the CLI options take precedence to discovery
if options.get('range_type', None):
@@ -635,11 +637,10 @@ def warning_if_ad_trust_dom_have_missing_SID(self, result, **options):
pass
else:
for entry in entries:
- add_message(
+ add_message(
options['version'],
result,
- BrokenTrust(domain=entry.single_value['cn'])
- )
+ BrokenTrust(domain=entry.single_value['cn']))
@register()
From 51eee9038a3d45693cf0bc0cc79ebf8f970648ce Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Wed, 8 Nov 2017 14:13:17 +0200
Subject: [PATCH 2/3] trust: detect and error out when non-AD trust with IPA
domain name exists
Quite often users choose wrong type of trust on Active Directory side
when setting up a trust to freeIPA. The trust type supported by freeIPA
is just a normal forest trust to another Active Directory. However,
some people follow old internet recipes that force using a trust to MIT
Kerberos realm.
This is a wrong type of trust. Unfortunately, when someone used MIT
Kerberos realm trust, there is no way to programmatically remote the
trust from freeIPA side. As result, we have to detect such situation and
report an error.
To do proper reporting, we need reuse some constants and trust type
names we use in IPA CLI/Web UI. These common components were moved to
a separate ipaserver/dcerpc_common.py module that is imported by both
ipaserver/plugins/trust.py and ipaserver/dcerpc.py.
Fixes https://pagure.io/freeipa/issue/7264
---
ipaserver/dcerpc.py | 25 +++++++++++------
ipaserver/dcerpc_common.py | 68 ++++++++++++++++++++++++++++++++++++++++++++++
ipaserver/plugins/trust.py | 50 +++++-----------------------------
3 files changed, 91 insertions(+), 52 deletions(-)
create mode 100644 ipaserver/dcerpc_common.py
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index 287122c516..b0684d32be 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -31,6 +31,10 @@
from ipapython import ipautil
from ipapython.dn import DN
from ipaserver.install import installutils
+from ipaserver.dcerpc_common import (TRUST_BIDIRECTIONAL,
+ TRUST_JOIN_EXTERNAL,
+ trust_type_string)
+
from ipalib.util import normalize_name
import os
@@ -75,15 +79,6 @@
logger = logging.getLogger(__name__)
-# Both constants can be used as masks against trust direction
-# because bi-directional has two lower bits set.
-TRUST_ONEWAY = 1
-TRUST_BIDIRECTIONAL = 3
-
-# Trust join behavior
-# External trust -- allow creating trust to a non-root domain in the forest
-TRUST_JOIN_EXTERNAL = 1
-
def is_sid_valid(sid):
try:
@@ -149,6 +144,7 @@ def is_sid_valid(sid):
pysss_nss_idmap.ID_BOTH: 'both',
}
+
class TrustTopologyConflictSolved(Exception):
"""
Internal trust error: raised when previously detected
@@ -1269,6 +1265,17 @@ def establish_trust(self, another_domain, trustdom_secret,
self._policy_handle,
dname,
lsa.LSA_TRUSTED_DOMAIN_INFO_FULL_INFO)
+ if res.info_ex.trust_type != lsa.LSA_TRUST_TYPE_UPLEVEL:
+ raise errors.ValidationError(
+ name=_('AD domain controller'),
+ error=unicode(
+ _('There is already a trust to {ipa_domain} with '
+ 'unsupported type {trust_type}. Please remove '
+ 'it manually on AD DC side.')).format(
+ ipa_domain=another_domain.info['dns_domain'],
+ trust_type=trust_type_string(
+ res.info_ex.trust_type,
+ res.info_ex.trust_attributes)))
self._pipe.DeleteTrustedDomain(self._policy_handle,
res.info_ex.sid)
except RuntimeError as e:
diff --git a/ipaserver/dcerpc_common.py b/ipaserver/dcerpc_common.py
new file mode 100644
index 0000000000..81726857a5
--- /dev/null
+++ b/ipaserver/dcerpc_common.py
@@ -0,0 +1,68 @@
+import six
+from ipalib import _
+if six.PY3:
+ unicode = str
+ long = int
+
+# Both constants can be used as masks against trust direction
+# because bi-directional has two lower bits set.
+TRUST_ONEWAY = 1
+TRUST_BIDIRECTIONAL = 3
+
+# Trust join behavior
+# External trust -- allow creating trust to a non-root domain in the forest
+TRUST_JOIN_EXTERNAL = 1
+
+# We don't want to import any of Samba Python code here just for constants
+# Since these constants set in MS-ADTS, we can rely on their stability
+LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE = 0x00000001
+
+_trust_direction_dict = {1: _('Trusting forest'),
+ 2: _('Trusted forest'),
+ 3: _('Two-way trust')}
+
+_trust_status_dict = {True: _('Established and verified'),
+ False: _('Waiting for confirmation by remote side')}
+
+_trust_type_dict_unknown = _('Unknown')
+
+# Trust type is a combination of ipanttrusttype and ipanttrustattributes
+# We shift trust attributes by 3 bits to left so bit 0 becomes bit 3 and
+# 2+(1 << 3) becomes 10.
+_trust_type_dict = {1: _('Non-Active Directory domain'),
+ 2: _('Active Directory domain'),
+ 3: _('RFC4120-compliant Kerberos realm'),
+ 10: _('Non-transitive external trust to a domain in '
+ 'another Active Directory forest'),
+ 11: _('Non-transitive external trust to an RFC4120-'
+ 'compliant Kerberos realm')}
+
+
+def trust_type_string(level, attrs):
+ """
+ Returns a string representing a type of the trust.
+ The original field is an enum:
+ LSA_TRUST_TYPE_DOWNLEVEL = 0x00000001,
+ LSA_TRUST_TYPE_UPLEVEL = 0x00000002,
+ LSA_TRUST_TYPE_MIT = 0x00000003
+ """
+ transitive = int(attrs) & LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE
+ string = _trust_type_dict.get(int(level) | (transitive << 3),
+ _trust_type_dict_unknown)
+ return unicode(string)
+
+
+def trust_direction_string(level):
+ """
+ Returns a string representing a direction of the trust.
+ The original field is a bitmask taking two bits in use
+ LSA_TRUST_DIRECTION_INBOUND = 0x00000001,
+ LSA_TRUST_DIRECTION_OUTBOUND = 0x00000002
+ """
+ string = _trust_direction_dict.get(int(level), _trust_type_dict_unknown)
+ return unicode(string)
+
+
+def trust_status_string(level):
+ string = _trust_status_dict.get(level, _trust_type_dict_unknown)
+ return unicode(string)
diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py
index f90aaa41f7..e82decfc37 100644
--- a/ipaserver/plugins/trust.py
+++ b/ipaserver/plugins/trust.py
@@ -45,6 +45,13 @@
from ipalib import output
from ldap import SCOPE_SUBTREE
from time import sleep
+from ipaserver.dcerpc_common import (TRUST_ONEWAY,
+ TRUST_BIDIRECTIONAL,
+ TRUST_JOIN_EXTERNAL,
+ LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE,
+ trust_type_string,
+ trust_direction_string,
+ trust_status_string)
if six.PY3:
unicode = str
@@ -64,9 +71,6 @@
if api.env.in_server and api.env.context in ['lite', 'server']:
try:
import ipaserver.dcerpc
- from ipaserver.dcerpc import (TRUST_ONEWAY,
- TRUST_BIDIRECTIONAL,
- TRUST_JOIN_EXTERNAL)
import dbus
import dbus.mainloop.glib
_bindings_installed = True
@@ -160,21 +164,6 @@
register = Registry()
-# Trust type is a combination of ipanttrusttype and ipanttrustattributes
-# We shift trust attributes by 3 bits to left so bit 0 becomes bit 3 and
-# 2+(1 << 3) becomes 10.
-_trust_type_dict = {1 : _('Non-Active Directory domain'),
- 2 : _('Active Directory domain'),
- 3 : _('RFC4120-compliant Kerberos realm'),
- 10: _('Non-transitive external trust to a domain in another Active Directory forest')}
-
-_trust_direction_dict = {1 : _('Trusting forest'),
- 2 : _('Trusted forest'),
- 3 : _('Two-way trust')}
-_trust_status_dict = {True : _('Established and verified'),
- False : _('Waiting for confirmation by remote side')}
-_trust_type_dict_unknown = _('Unknown')
-
_trust_type_option = StrEnum('trust_type',
cli_name='type',
label=_('Trust type (ad for Active Directory, default)'),
@@ -190,31 +179,6 @@
CRED_STYLE_SAMBA = 1
CRED_STYLE_KERBEROS = 2
-LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE = 0x00000001
-
-def trust_type_string(level, attrs):
- """
- Returns a string representing a type of the trust. The original field is an enum:
- LSA_TRUST_TYPE_DOWNLEVEL = 0x00000001,
- LSA_TRUST_TYPE_UPLEVEL = 0x00000002,
- LSA_TRUST_TYPE_MIT = 0x00000003
- """
- transitive = int(attrs) & LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE
- string = _trust_type_dict.get(int(level) | (transitive << 3), _trust_type_dict_unknown)
- return unicode(string)
-
-def trust_direction_string(level):
- """
- Returns a string representing a direction of the trust. The original field is a bitmask taking two bits in use
- LSA_TRUST_DIRECTION_INBOUND = 0x00000001,
- LSA_TRUST_DIRECTION_OUTBOUND = 0x00000002
- """
- string = _trust_direction_dict.get(int(level), _trust_type_dict_unknown)
- return unicode(string)
-
-def trust_status_string(level):
- string = _trust_status_dict.get(level, _trust_type_dict_unknown)
- return unicode(string)
def make_trust_dn(env, trust_type, dn):
assert isinstance(dn, DN)
From 8ea8e783ae2c60af1d032db7858c3272465fba6a Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Thu, 9 Nov 2017 09:57:25 +0200
Subject: [PATCH 3/3] ipaserver/plugins/trust.py: pep8 compliance
---
ipaserver/plugins/trust.py | 410 ++++++++++++++++++++++++---------------------
1 file changed, 223 insertions(+), 187 deletions(-)
diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py
index e82decfc37..73c8420f9c 100644
--- a/ipaserver/plugins/trust.py
+++ b/ipaserver/plugins/trust.py
@@ -82,10 +82,10 @@
Manage trust relationship between IPA and Active Directory domains.
-In order to allow users from a remote domain to access resources in IPA
-domain, trust relationship needs to be established. Currently IPA supports
-only trusts between IPA and Active Directory domains under control of Windows
-Server 2008 or later, with functional level 2008 or later.
+In order to allow users from a remote domain to access resources in IPA domain,
+trust relationship needs to be established. Currently IPA supports only trusts
+between IPA and Active Directory domains under control of Windows Server 2008
+or later, with functional level 2008 or later.
Please note that DNS on both IPA and Active Directory domain sides should be
configured properly to discover each other. Trust relationship relies on
@@ -96,7 +96,8 @@
1. Establish cross-realm trust with Active Directory using AD administrator
credentials:
- ipa trust-add --type=ad <ad.domain> --admin <AD domain administrator> --password
+ ipa trust-add --type=ad <ad.domain> --admin <AD domain administrator> \
+ --password
2. List all existing trust relationships:
@@ -111,35 +112,39 @@
ipa trust-del <ad.domain>
Once trust relationship is established, remote users will need to be mapped
-to local POSIX groups in order to actually use IPA resources. The mapping should
-be done via use of external membership of non-POSIX group and then this group
-should be included into one of local POSIX groups.
+to local POSIX groups in order to actually use IPA resources. The mapping
+should be done via use of external membership of non-POSIX group and then
+this group should be included into one of local POSIX groups.
Example:
-1. Create group for the trusted domain admins' mapping and their local POSIX group:
+1. Create group for the trusted domain admins' mapping and their local POSIX
+group:
- ipa group-add --desc='<ad.domain> admins external map' ad_admins_external --external
+ ipa group-add --desc='<ad.domain> admins external map' \
+ ad_admins_external --external
ipa group-add --desc='<ad.domain> admins' ad_admins
-2. Add security identifier of Domain Admins of the <ad.domain> to the ad_admins_external
- group:
+2. Add security identifier of Domain Admins of the <ad.domain> to the
+ ad_admins_external group:
ipa group-add-member ad_admins_external --external 'AD\\Domain Admins'
-3. Allow members of ad_admins_external group to be associated with ad_admins POSIX group:
+3. Allow members of ad_admins_external group to be associated with
+ ad_admins POSIX group:
ipa group-add-member ad_admins --groups ad_admins_external
-4. List members of external members of ad_admins_external group to see their SIDs:
+4. List members of external members of ad_admins_external group to see
+ their SIDs:
ipa group-show ad_admins_external
GLOBAL TRUST CONFIGURATION
-When IPA AD trust subpackage is installed and ipa-adtrust-install is run,
-a local domain configuration (SID, GUID, NetBIOS name) is generated. These
+When IPA AD trust subpackage is installed and ipa-adtrust-install is run, a
+local domain configuration (SID, GUID, NetBIOS name) is generated. These
identifiers are then used when communicating with a trusted domain of the
particular type.
@@ -148,11 +153,11 @@
ipa trustconfig-show --type ad
2. Modify global configuration for all trusts of Active Directory type and set
- a different fallback primary group (fallback primary group GID is used as
- a primary user GID if user authenticating to IPA domain does not have any other
- primary GID already set):
+ a different fallback primary group (fallback primary group GID is used as a
+ primary user GID if user authenticating to IPA domain does not have any
+ other primary GID already set):
- ipa trustconfig-mod --type ad --fallback-primary-group "alternative AD group"
+ ipa trustconfig-mod --type ad --fallback-primary-group "another AD group"
3. Change primary fallback group back to default hidden group (any group with
posixGroup object class is allowed):
@@ -164,13 +169,14 @@
register = Registry()
-_trust_type_option = StrEnum('trust_type',
- cli_name='type',
- label=_('Trust type (ad for Active Directory, default)'),
- values=(u'ad',),
- default=u'ad',
- autofill=True,
- )
+_trust_type_option = StrEnum(
+ 'trust_type',
+ cli_name='type',
+ label=_('Trust type (ad for Active Directory, default)'),
+ values=(u'ad',),
+ default=u'ad',
+ autofill=True,
+ )
DEFAULT_RANGE_SIZE = 200000
@@ -187,6 +193,7 @@ def make_trust_dn(env, trust_type, dn):
return DN(dn, container_dn)
return dn
+
def find_adtrust_masters(ldap, api):
"""
Returns a list of names of IPA servers with ADTRUST component configured.
@@ -202,6 +209,7 @@ def find_adtrust_masters(ldap, api):
return [entry.dn[1].value for entry in entries]
+
def verify_samba_component_presence(ldap, api):
"""
Verifies that Samba is installed and configured on this particular master.
@@ -235,7 +243,7 @@ def raise_missing_component_error(message):
# First check for packages missing
elif not _bindings_installed:
- error_message=_(
+ error_message = _(
'Cannot perform the selected command without Samba 4 support '
'installed. Make sure you have installed server-trust-ad '
'sub-package of IPA.'
@@ -245,7 +253,7 @@ def raise_missing_component_error(message):
# Packages present, but ADTRUST instance is not configured
elif not adtrust_present:
- error_message=_(
+ error_message = _(
'Cannot perform the selected command without Samba 4 instance '
'configured on this machine. Make sure you have run '
'ipa-adtrust-install on this server.'
@@ -265,7 +273,8 @@ def generate_creds(trustinstance, style, **options):
**options -- options with realm_admin and realm_passwd keys
Result:
- a string representing credentials with first % separating username and password
+ a string representing credentials with first % separating
+ username and password
None is returned if realm_passwd key returns nothing from options
"""
creds = None
@@ -336,7 +345,8 @@ def add_range(myapi, trustinstance, range_name, dom_sid, *keys, **options):
creds = None
if trustinstance:
# Re-use AD administrator credentials if they were provided
- creds = generate_creds(trustinstance, style=CRED_STYLE_KERBEROS, **options)
+ creds = generate_creds(trustinstance,
+ style=CRED_STYLE_KERBEROS, **options)
if creds:
domain_validator._admin_creds = creds
# KDC might not get refreshed data at the first time,
@@ -420,8 +430,11 @@ def fetch_trusted_domains_over_dbus(myapi, forest_name):
_stdout = ''
_stderr = ''
bus = dbus.SystemBus()
- intf = bus.get_object(DBUS_IFACE_TRUST,"/", follow_name_owner_changes=True)
- fetch_domains_method = intf.get_dbus_method('fetch_domains', dbus_interface=DBUS_IFACE_TRUST)
+ intf = bus.get_object(DBUS_IFACE_TRUST, "/",
+ follow_name_owner_changes=True)
+ fetch_domains_method =\
+ intf.get_dbus_method('fetch_domains',
+ dbus_interface=DBUS_IFACE_TRUST)
(_ret, _stdout, _stderr) = fetch_domains_method(forest_name)
except dbus.DBusException as e:
logger.error('Failed to call %s.fetch_domains helper.'
@@ -432,10 +445,12 @@ def fetch_trusted_domains_over_dbus(myapi, forest_name):
logger.error('Standard output from the helper:\n%s---\n', _stdout)
logger.error('Error output from the helper:\n%s--\n', _stderr)
raise errors.ServerCommandError(server=myapi.env.host,
- error=_('Fetching domains from trusted forest failed. '
- 'See details in the error_log'))
+ error=_('Fetching domains from trusted'
+ ' forest failed. See details '
+ 'in the error_log'))
return
+
@register()
class trust(LDAPObject):
"""
@@ -493,8 +508,7 @@ class trust(LDAPObject):
Str('cn',
cli_name='realm',
label=_('Realm name'),
- primary_key=True,
- ),
+ primary_key=True),
Str('ipantflatname',
cli_name='flat_name',
label=_('Domain NetBIOS name'),
@@ -514,20 +528,19 @@ class trust(LDAPObject):
Str('trustdirection',
label=_('Trust direction'),
flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'},
- ),
+ ),
Str('trusttype',
label=_('Trust type'),
flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'},
- ),
+ ),
Str('truststatus',
label=_('Trust status'),
flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'},
- ),
+ ),
Str('ipantadditionalsuffixes*',
cli_name='upn_suffixes',
label=_('UPN suffixes'),
- flags={'no_create', 'no_search'},
- ),
+ flags={'no_create', 'no_search'}),
)
def validate_sid_blacklists(self, entry_attrs):
@@ -542,8 +555,8 @@ def validate_sid_blacklists(self, entry_attrs):
continue
for value in values:
if not ipaserver.dcerpc.is_sid_valid(value):
- raise errors.ValidationError(name=attr,
- error=_("invalid SID: %(value)s") % dict(value=value))
+ err = unicode(_("invalid SID: {SID}")).format(SID=value)
+ raise errors.ValidationError(name=attr, error=err)
def get_dn(self, *keys, **kwargs):
trust_type = kwargs.get('trust_type')
@@ -626,56 +639,51 @@ class trust_add(LDAPCreate):
range_types = {
u'ipa-ad-trust': unicode(_('Active Directory domain range')),
u'ipa-ad-trust-posix': unicode(_('Active Directory trust range with '
- 'POSIX attributes')),
+ 'POSIX attributes')),
}
takes_options = LDAPCreate.takes_options + (
_trust_type_option,
Str('realm_admin?',
cli_name='admin',
- label=_("Active Directory domain administrator"),
- ),
+ label=_("Active Directory domain administrator")),
Password('realm_passwd?',
- cli_name='password',
- label=_("Active Directory domain administrator's password"),
- confirm=False,
- ),
+ cli_name='password',
+ label=_("Active Directory domain administrator's password"),
+ confirm=False),
Str('realm_server?',
cli_name='server',
- label=_('Domain controller for the Active Directory domain (optional)'),
- ),
+ label=_('Domain controller for the Active Directory domain '
+ '(optional)')),
Password('trust_secret?',
- cli_name='trust_secret',
- label=_('Shared secret for the trust'),
- confirm=False,
- ),
+ cli_name='trust_secret',
+ label=_('Shared secret for the trust'),
+ confirm=False),
Int('base_id?',
cli_name='base_id',
- label=_('First Posix ID of the range reserved for the trusted domain'),
- ),
+ label=_('First Posix ID of the range reserved for the trusted '
+ 'domain')),
Int('range_size?',
cli_name='range_size',
- label=_('Size of the ID range reserved for the trusted domain'),
- ),
+ label=_('Size of the ID range reserved for the trusted domain')),
StrEnum('range_type?',
- label=_('Range type'),
- cli_name='range_type',
- doc=(_('Type of trusted domain ID range, one of {vals}'
- .format(vals=', '.join(range_types.keys())))),
- values=tuple(range_types.keys()),
- ),
+ label=_('Range type'),
+ cli_name='range_type',
+ doc=(_('Type of trusted domain ID range, one of {vals}'
+ .format(vals=', '.join(range_types.keys())))),
+ values=tuple(range_types.keys())),
Bool('bidirectional?',
label=_('Two-way trust'),
cli_name='two_way',
- doc=(_('Establish bi-directional trust. By default trust is inbound one-way only.')),
- default=False,
- ),
+ doc=(_('Establish bi-directional trust. By default trust is '
+ 'inbound one-way only.')),
+ default=False),
Bool('external?',
label=_('External trust'),
cli_name='external',
- doc=(_('Establish external trust to a domain in another forest. The trust is not transitive beyond the domain.')),
- default=False,
- ),
+ doc=(_('Establish external trust to a domain in another forest. '
+ 'The trust is not transitive beyond the domain.')),
+ default=False),
)
msg_summary = _('Added Active Directory trust for realm "%(value)s"')
@@ -724,7 +732,8 @@ def execute(self, *keys, **options):
trust_filter = "cn=%s" % result['value']
trusts, _truncated = ldap.find_entries(
- base_dn=DN(self.api.env.container_trusts, self.api.env.basedn),
+ base_dn=DN(self.api.env.container_trusts,
+ self.api.env.basedn),
filter=trust_filter,
attrs_list=attrs_list)
@@ -735,10 +744,11 @@ def execute(self, *keys, **options):
# Note that add_new_domains_from_trust will add needed ranges for
# the algorithmic ID mapping case.
if (options.get('trust_type') == u'ad' and
- options.get('trust_secret') is None):
+ options.get('trust_secret') is None):
+
if options.get('bidirectional') == True:
- # Bidirectional trust allows us to use cross-realm TGT, so we can
- # run the call under original user's credentials
+ # Bidirectional trust allows us to use cross-realm TGT,
+ # so we can run the call under original user's credentials
res = fetch_domains_from_trust(self.api, self.trustinstance,
**options)
add_new_domains_from_trust(
@@ -794,7 +804,8 @@ def validate_options(self, *keys, **options):
# If domain name and realm does not match, IPA server is not be able
# to establish trust with Active Directory.
- realm_not_matching_domain = (self.api.env.domain.upper() != self.api.env.realm)
+ realm_not_matching_domain =\
+ self.api.env.domain.upper() != self.api.env.realm
if options['trust_type'] == u'ad' and realm_not_matching_domain:
raise errors.ValidationError(
@@ -921,11 +932,12 @@ def validate_range(self, *keys, **options):
)
if range_type and range_type != old_range_type:
- raise errors.ValidationError(name=_('range type change'),
- error=_('ID range for the trusted domain already exists, '
- 'but it has a different type. Please remove the '
- 'old range manually, or do not enforce type '
- 'via --range-type option.'))
+ raise errors.ValidationError(
+ name=_('range type change'),
+ error=_('ID range for the trusted domain already '
+ 'exists, but it has a different type. Please '
+ 'remove the old range manually, or do not '
+ 'enforce type via --range-type option.'))
return old_range, range_name, dom_sid
@@ -960,33 +972,48 @@ def execute_ad(self, full_join, *keys, **options):
trust_type
)
except errors.NotFound:
- error_message=_("Unable to resolve domain controller for '%s' domain. ") % (keys[-1])
- instructions=[]
+ _message = _("Unable to resolve domain controller for "
+ "{domain} domain. ")
+ error_message = unicode(_message).format(domain=keys[-1])
+ instructions = []
+
if dns_container_exists(self.obj.backend):
try:
- dns_zone = self.api.Command.dnszone_show(keys[-1])['result']
- if ('idnsforwardpolicy' in dns_zone) and dns_zone['idnsforwardpolicy'][0] == u'only':
- instructions.append(_("Forward policy is defined for it in IPA DNS, "
- "perhaps forwarder points to incorrect host?"))
+ dns_zone = self.api.Command.dnszone_show(
+ keys[-1])['result']
+
+ if (('idnsforwardpolicy' in dns_zone) and
+ dns_zone['idnsforwardpolicy'][0] == u'only'):
+
+ instructions.append(_("Forward policy is defined "
+ "for it in IPA DNS, perhaps "
+ "forwarder points to "
+ "incorrect host?"))
except (errors.NotFound, KeyError):
- instructions.append(_("IPA manages DNS, please verify "
- "your DNS configuration and "
- "make sure that service records "
- "of the '%(domain)s' domain can "
- "be resolved. Examples how to "
- "configure DNS with CLI commands "
- "or the Web UI can be found in "
- "the documentation. " ) %
- dict(domain=keys[-1]))
+ _instruction = _("IPA manages DNS, please verify "
+ "your DNS configuration and "
+ "make sure that service records "
+ "of the '{domain}' domain can "
+ "be resolved. Examples how to "
+ "configure DNS with CLI commands"
+ " or the Web UI can be found in "
+ "the documentation. ")
+ instructions.append(unicode(_instruction)
+ .format(domain=keys[-1]))
else:
- instructions.append(_("Since IPA does not manage DNS records, ensure DNS "
- "is configured to resolve '%(domain)s' domain from "
- "IPA hosts and back.") % dict(domain=keys[-1]))
- raise errors.NotFound(reason=error_message, instructions=instructions)
+ _instruction = _("Since IPA does not manage DNS "
+ "records, ensure DNS is configured "
+ "to resolve '{domain}' domain from "
+ "IPA hosts and back.")
+ instructions.append(unicode(_instruction)
+ .format(domain=keys[-1]))
+ raise errors.NotFound(reason=error_message,
+ instructions=instructions)
if result is None:
raise errors.ValidationError(name=_('AD Trust setup'),
- error=_('Unable to verify write permissions to the AD'))
+ error=_('Unable to verify write '
+ 'permissions to the AD'))
ret = dict(
value=pkey_to_value(
@@ -1023,12 +1050,14 @@ def execute_ad(self, full_join, *keys, **options):
error=_('Not enough arguments specified to perform trust '
'setup'))
+
@register()
class trust_del(LDAPDelete):
__doc__ = _('Delete a trust.')
msg_summary = _('Deleted trust "%(value)s"')
+
@register()
class trust_mod(LDAPUpdate):
__doc__ = _("""
@@ -1041,13 +1070,14 @@ class trust_mod(LDAPUpdate):
msg_summary = _('Modified trust "%(value)s" '
'(change will be effective in 60 seconds)')
- def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
+ def pre_callback(self, ldap, dn, e_attrs, attrs_list, *keys, **options):
assert isinstance(dn, DN)
- self.obj.validate_sid_blacklists(entry_attrs)
+ self.obj.validate_sid_blacklists(e_attrs)
return dn
+
@register()
class trust_find(LDAPSearch):
__doc__ = _('Search for trusts.')
@@ -1058,9 +1088,10 @@ class trust_find(LDAPSearch):
'%(count)d trust matched', '%(count)d trusts matched', 0
)
- # Since all trusts types are stored within separate containers under 'cn=trusts',
- # search needs to be done on a sub-tree scope
- def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options):
+ # Since all trusts types are stored within separate containers
+ # under 'cn=trusts', search needs to be done on a sub-tree scope
+ def pre_callback(self, ldap, filters, attrs_list,
+ base_dn, scope, *args, **options):
# list only trust, not trust domains
return (filters, base_dn, ldap.SCOPE_SUBTREE)
@@ -1080,13 +1111,15 @@ def post_callback(self, ldap, entries, truncated, *args, **options):
trust_type = attrs.single_value.get('ipanttrusttype', None)
attributes = attrs.single_value.get('ipanttrustattributes', 0)
if not options.get('raw', False) and trust_type is not None:
- attrs['trusttype'] = [trust_type_string(trust_type, attributes)]
+ attrs['trusttype'] = [trust_type_string(trust_type,
+ attributes)]
del attrs['ipanttrusttype']
if attributes:
del attrs['ipanttrustattributes']
return truncated
+
@register()
class trust_show(LDAPRetrieve):
__doc__ = _('Display information about a trust.')
@@ -1102,7 +1135,7 @@ def execute(self, *keys, **options):
return result
- def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+ def post_callback(self, ldap, dn, e_attrs, *keys, **options):
assert isinstance(dn, DN)
# Translate ipanttrusttype to trusttype
@@ -1110,25 +1143,27 @@ def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
# if --raw not used
if not options.get('raw', False):
- trust_type = entry_attrs.single_value.get('ipanttrusttype', None)
- attributes = entry_attrs.single_value.get('ipanttrustattributes', 0)
+ trust_type = e_attrs.single_value.get('ipanttrusttype', None)
+ attributes = e_attrs.single_value.get('ipanttrustattributes', 0)
if trust_type is not None:
- entry_attrs['trusttype'] = [trust_type_string(trust_type, attributes)]
- del entry_attrs['ipanttrusttype']
+ e_attrs['trusttype'] = [trust_type_string(trust_type,
+ attributes)]
+ del e_attrs['ipanttrusttype']
- dir_str = entry_attrs.single_value.get('ipanttrustdirection', None)
+ dir_str = e_attrs.single_value.get('ipanttrustdirection', None)
if dir_str is not None:
- entry_attrs['trustdirection'] = [trust_direction_string(dir_str)]
- del entry_attrs['ipanttrustdirection']
+ e_attrs['trustdirection'] = [trust_direction_string(dir_str)]
+ del e_attrs['ipanttrustdirection']
if attributes:
- del entry_attrs['ipanttrustattributes']
+ del e_attrs['ipanttrustattributes']
return dn
_trustconfig_dn = {
- u'ad': DN(('cn', api.env.domain), api.env.container_cifsdomains, api.env.basedn),
+ u'ad': DN(('cn', api.env.domain),
+ api.env.container_cifsdomains, api.env.basedn),
}
@@ -1149,36 +1184,29 @@ class trustconfig(LDAPObject):
takes_params = (
Str('cn',
label=_('Domain'),
- flags=['no_update'],
- ),
+ flags=['no_update']),
Str('ipantsecurityidentifier',
label=_('Security Identifier'),
- flags=['no_update'],
- ),
+ flags=['no_update']),
Str('ipantflatname',
label=_('NetBIOS name'),
- flags=['no_update'],
- ),
+ flags=['no_update']),
Str('ipantdomainguid',
label=_('Domain GUID'),
- flags=['no_update'],
- ),
+ flags=['no_update']),
Str('ipantfallbackprimarygroup',
cli_name='fallback_primary_group',
- label=_('Fallback primary group'),
- ),
+ label=_('Fallback primary group')),
Str(
'ad_trust_agent_server*',
label=_('IPA AD trust agents'),
doc=_('IPA servers configured as AD trust agents'),
- flags={'virtual_attribute', 'no_create', 'no_update'}
- ),
+ flags={'virtual_attribute', 'no_create', 'no_update'}),
Str(
'ad_trust_controller_server*',
label=_('IPA AD trust controllers'),
doc=_('IPA servers configured as AD trust controllers'),
- flags={'virtual_attribute', 'no_create', 'no_update'}
- ),
+ flags={'virtual_attribute', 'no_create', 'no_update'}),
)
def get_dn(self, *keys, **kwargs):
@@ -1189,7 +1217,7 @@ def get_dn(self, *keys, **kwargs):
return _trustconfig_dn[kwargs['trust_type']]
except KeyError:
raise errors.ValidationError(name='trust_type',
- error=_("unsupported trust type"))
+ error=_("unsupported trust type"))
def _normalize_groupdn(self, entry_attrs):
"""
@@ -1258,8 +1286,8 @@ class trustconfig_mod(LDAPUpdate):
msg_summary = _('Modified "%(value)s" trust configuration')
has_output = output.simple_entry
- def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
- self.obj._normalize_groupdn(entry_attrs)
+ def pre_callback(self, ldap, dn, e_attrs, attrs_list, *keys, **options):
+ self.obj._normalize_groupdn(e_attrs)
return dn
def execute(self, *keys, **options):
@@ -1267,14 +1295,13 @@ def execute(self, *keys, **options):
result['value'] = pkey_to_value(options['trust_type'], options)
return result
- def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
- self.obj._convert_groupdn(entry_attrs, options)
+ def post_callback(self, ldap, dn, e_attrs, *keys, **options):
+ self.obj._convert_groupdn(e_attrs, options)
self.api.Object.config.show_servroles_attributes(
- entry_attrs, "AD trust agent", "AD trust controller", **options)
+ e_attrs, "AD trust agent", "AD trust controller", **options)
return dn
-
@register()
class trustconfig_show(LDAPRetrieve):
__doc__ = _('Show global trust configuration.')
@@ -1297,28 +1324,30 @@ def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
if _nss_idmap_installed:
_idmap_type_dict = {
- pysss_nss_idmap.ID_USER : 'user',
- pysss_nss_idmap.ID_GROUP : 'group',
- pysss_nss_idmap.ID_BOTH : 'both',
+ pysss_nss_idmap.ID_USER: 'user',
+ pysss_nss_idmap.ID_GROUP: 'group',
+ pysss_nss_idmap.ID_BOTH: 'both',
}
+
def idmap_type_string(level):
string = _idmap_type_dict.get(int(level), 'unknown')
return unicode(string)
+
@register()
class trust_resolve(Command):
NO_CLI = True
- __doc__ = _('Resolve security identifiers of users and groups in trusted domains')
+ __doc__ = _('Resolve security identifiers of users and groups '
+ 'in trusted domains')
takes_options = (
Str('sids+',
- label = _('Security Identifiers (SIDs)'),
- ),
+ label=_('Security Identifiers (SIDs)')),
)
has_output_params = (
- Str('name', label= _('Name')),
- Str('sid', label= _('SID')),
+ Str('name', label=_('Name')),
+ Str('sid', label=_('SID')),
)
has_output = (
@@ -1330,13 +1359,15 @@ def execute(self, *keys, **options):
if not _nss_idmap_installed:
return dict(result=result)
try:
+ NAME_KEY = pysss_nss_idmap.NAME_KEY
+ TYPE_KEY = pysss_nss_idmap.TYPE_KEY
sids = [str(x) for x in options['sids']]
xlate = pysss_nss_idmap.getnamebysid(sids)
for sid in xlate:
entry = dict()
entry['sid'] = [unicode(sid)]
- entry['name'] = [unicode(xlate[sid][pysss_nss_idmap.NAME_KEY])]
- entry['type'] = [idmap_type_string(xlate[sid][pysss_nss_idmap.TYPE_KEY])]
+ entry['name'] = [unicode(xlate[sid][NAME_KEY])]
+ entry['type'] = [idmap_type_string(xlate[sid][TYPE_KEY])]
result.append(entry)
except ValueError:
pass
@@ -1344,7 +1375,6 @@ def execute(self, *keys, **options):
return dict(result=result)
-
@register()
class adtrust_is_enabled(Command):
NO_CLI = True
@@ -1371,7 +1401,6 @@ def execute(self, *keys, **options):
return dict(result=True)
-
@register()
class compat_is_enabled(Command):
NO_CLI = True
@@ -1415,7 +1444,6 @@ def execute(self, *keys, **options):
return dict(result=True)
-
@register()
class sidgen_was_run(Command):
"""
@@ -1465,7 +1493,7 @@ class trustdomain(LDAPObject):
Object representing a domain of the AD trust.
"""
parent_object = 'trust'
- trust_type_idx = {'2':u'ad'}
+ trust_type_idx = {'2': u'ad'}
object_name = _('trust domain')
object_name_plural = _('trust domains')
object_class = ['ipaNTTrustedDomain']
@@ -1482,40 +1510,39 @@ class trustdomain(LDAPObject):
Str('cn',
label=_('Domain name'),
cli_name='domain',
- primary_key=True
- ),
+ primary_key=True),
Str('ipantflatname?',
cli_name='flat_name',
- label=_('Domain NetBIOS name'),
- ),
+ label=_('Domain NetBIOS name')),
Str('ipanttrusteddomainsid?',
cli_name='sid',
- label=_('Domain Security Identifier'),
- ),
+ label=_('Domain Security Identifier')),
Flag('domain_enabled',
- label=_('Domain enabled'),
- flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'},
- ),
+ label=_('Domain enabled'),
+ flags={'virtual_attribute',
+ 'no_create', 'no_update', 'no_search'}),
)
- # LDAPObject.get_dn() only passes all but last element of keys and no kwargs
- # to the parent object's get_dn() no matter what you pass to it. Make own get_dn()
- # as we really need all elements to construct proper dn.
+ # LDAPObject.get_dn() only passes all but last element of keys and no
+ # kwargs to the parent object's get_dn() no matter what you pass to it.
+ # Make own get_dn() as we really need all elements to construct proper dn.
def get_dn(self, *keys, **kwargs):
sdn = [('cn', x) for x in keys]
sdn.reverse()
trust_type = kwargs.get('trust_type')
if not trust_type:
- trust_type=u'ad'
+ trust_type = u'ad'
- dn=make_trust_dn(self.env, trust_type, DN(*sdn))
+ dn = make_trust_dn(self.env, trust_type, DN(*sdn))
return dn
+
@register()
class trustdomain_find(LDAPSearch):
__doc__ = _('Search domains of the trust')
- def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options):
+ def pre_callback(self, ldap, filters, attrs_list, base_dn,
+ scope, *args, **options):
return (filters, base_dn, ldap.SCOPE_SUBTREE)
def post_callback(self, ldap, entries, truncated, *args, **options):
@@ -1536,7 +1563,6 @@ def post_callback(self, ldap, entries, truncated, *args, **options):
return truncated
-
@register()
class trustdomain_mod(LDAPUpdate):
__doc__ = _('Modify trustdomain of the trust')
@@ -1544,31 +1570,36 @@ class trustdomain_mod(LDAPUpdate):
NO_CLI = True
takes_options = LDAPUpdate.takes_options + (_trust_type_option,)
+
@register()
class trustdomain_add(LDAPCreate):
__doc__ = _('Allow access from the trusted domain')
NO_CLI = True
takes_options = LDAPCreate.takes_options + (_trust_type_option,)
- def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
- # ipaNTTrustPartner must always be set to the name of the trusted domain
- # See MS-ADTS 6.1.6.7.13
- entry_attrs['ipanttrustpartner'] = [dn[0]['cn']]
+
+ def pre_callback(self, ldap, dn, e_attrs, attrs_list, *keys, **options):
+ # ipaNTTrustPartner must always be set to the name of the trusted
+ # domain. See MS-ADTS 6.1.6.7.13
+ e_attrs['ipanttrustpartner'] = [dn[0]['cn']]
return dn
@register()
class trustdomain_del(LDAPDelete):
- __doc__ = _('Remove information about the domain associated with the trust.')
+ __doc__ = _('Remove information about the domain associated '
+ 'with the trust.')
- msg_summary = _('Removed information about the trusted domain "%(value)s"')
+ msg_summary = _('Removed information about the trusted domain '
+ '"%(value)s"')
def execute(self, *keys, **options):
ldap = self.api.Backend.ldap2
verify_samba_component_presence(ldap, self.api)
- # Note that pre-/post- callback handling for LDAPDelete is causing pre_callback
- # to always receive empty keys. We need to catch the case when root domain is being deleted
+ # Note that pre-/post- callback handling for LDAPDelete is causing
+ # pre_callback to always receive empty keys. We need to catch the case
+ # when root domain is being deleted
for domain in keys[1]:
try:
@@ -1607,10 +1638,10 @@ def fetch_domains_from_trust(myapi, trustinstance, **options):
forest_root_name = trustinstance.remote_domain.info['dns_forest']
# We want to use Kerberos if we have admin credentials even with SMB calls
- # as eventually use of NTLMSSP will be deprecated for trusted domain operations
- # If admin credentials are missing, 'creds' will be None and fetch_domains
- # will use HTTP/ipa.master@IPA.REALM principal, e.g. Kerberos authentication
- # as well.
+ # as eventually use of NTLMSSP will be deprecated for trusted domain
+ # operations If admin credentials are missing, 'creds' will be None and
+ # fetch_domains will use HTTP/ipa.master@IPA.REALM principal, e.g. Kerberos
+ # authentication as well.
creds = generate_creds(trustinstance, style=CRED_STYLE_KERBEROS, **options)
server = options.get('realm_server', None)
domains = ipaserver.dcerpc.fetch_domains(
@@ -1620,7 +1651,8 @@ def fetch_domains_from_trust(myapi, trustinstance, **options):
return domains
-def add_new_domains_from_trust(myapi, trustinstance, trust_entry, domains, **options):
+def add_new_domains_from_trust(myapi, trustinstance, trust_entry,
+ domains, **options):
result = []
if not domains:
return result
@@ -1691,8 +1723,8 @@ class trust_fetch_domains(LDAPRetrieve):
takes_options = LDAPRetrieve.takes_options + (
Str('realm_server?',
cli_name='server',
- label=_('Domain controller for the Active Directory domain (optional)'),
- ),
+ label=_('Domain controller for the Active Directory domain '
+ '(optional)')),
)
def execute(self, *keys, **options):
@@ -1733,7 +1765,9 @@ def execute(self, *keys, **options):
if keys[0].lower() == keys[1].lower():
raise errors.ValidationError(name='domain',
- error=_("Root domain of the trust is always enabled for the existing trust"))
+ error=_("Root domain of the trust is "
+ "always enabled for the "
+ "existing trust"))
try:
trust_dn = self.obj.get_dn(keys[0], trust_type=u'ad')
trust_entry = ldap.get_entry(trust_dn)
@@ -1771,7 +1805,9 @@ def execute(self, *keys, **options):
if keys[0].lower() == keys[1].lower():
raise errors.ValidationError(name='domain',
- error=_("cannot disable root domain of the trust, use trust-del to delete the trust itself"))
+ error=_("cannot disable root domain "
+ "of the trust, use trust-del "
+ "to delete the trust itself"))
try:
trust_dn = self.obj.get_dn(keys[0], trust_type=u'ad')
trust_entry = ldap.get_entry(trust_dn)
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
