def dns_resolve(self, domain=None, kerberos=True):
logging.debug('Querying domain controller information from DNS')
basequery = '_ldap._tcp.pdc._msdcs'
if domain is not None:
logging.debug('Using domain hint: %s' % str(domain))
query = '_ldap._tcp.pdc._msdcs.%s' % domain
else:
# Assume a DNS search domain is (correctly) configured on the host
# in which case the resolver will autocomplete our request
query = basequery
try:
q = self.dnsresolver.query(query, 'SRV')
if str(q.qname).lower().startswith('_ldap._tcp.pdc._msdcs'):
ad_domain = str(q.qname).lower()[len(basequery):].strip('.')
logging.info('Found AD domain: %s' % ad_domain)
self.domain = ad_domain
if self.auth.domain is None:
self.auth.domain = ad_domain
self.baseDN = ADUtils.domain2ldap(ad_domain)
for r in q:
dc = str(r.target).rstrip('.')
logging.debug('Found primary DC: %s' % dc)
if dc not in self._dcs:
self._dcs.append(dc)
except resolver.NXDOMAIN:
pass
try:
q = self.dnsresolver.query(query.replace('pdc', 'gc'), 'SRV')
for r in q:
gc = str(r.target).rstrip('.')
logging.debug('Found Global Catalog server: %s' % gc)
if gc not in self._gcs:
self._gcs.append(gc)
except resolver.NXDOMAIN:
pass
if kerberos is True:
try:
q = self.dnsresolver.query('_kerberos._tcp.dc._msdcs', 'SRV')
for r in q:
kdc = str(r.target).rstrip('.')
logging.debug('Found KDC: %s' % str(r.target).rstrip('.'))
if kdc not in self._kdcs:
self._kdcs.append(kdc)
self.auth.kdc = self._kdcs[0]
except resolver.NXDOMAIN:
pass
return True
def __init__(self,
domain=None,
auth=None,
nameserver=None,
dns_tcp=False,
dns_timeout=3.0):
self.domain = domain
# Object of type ADDomain, added later
self.domain_object = None
self.auth = auth
# List of DCs for this domain. Contains just one DC since
# we query for the primary DC specifically
self._dcs = []
# Kerberos servers
self._kdcs = []
# Global catalog servers
self._gcs = []
self.domains = {}
self.nbdomains = {}
self.groups = {} # Groups by DN
self.groups_dnmap = {} # Group mapping from gid to DN
self.computers = {}
self.users = {} # Users by DN
# Create a resolver object
self.dnsresolver = resolver.Resolver()
if nameserver:
self.dnsresolver.nameservers = [nameserver]
# Resolve DNS over TCP?
self.dns_tcp = dns_tcp
# Set DNS timeout
self.dns_timeout = dns_timeout
# Give it a cache to prevent duplicate lookups
self.dnsresolver.cache = resolver.Cache()
# Default timeout after 3 seconds if the DNS servers
# do not come up with an answer
self.dnsresolver.lifetime = dns_timeout
self.dnsresolver.timeout = dns_timeout
# Also create a custom cache for both forward and backward lookups
# this cache is thread-safe
self.dnscache = DNSCache()
# Create a thread-safe SID lookup cache
self.sidcache = SidCache()
# Create a thread-safe SAM lookup cache
self.samcache = SamCache()
# Create SID cache for computer accounts
self.computersidcache = SidCache()
# Object Resolver, initialized later
self.objectresolver = None
# Number of domains within the forest
self.num_domains = 1
# Does the schema have laps properties
self.has_laps = False
if domain is not None:
self.baseDN = ADUtils.domain2ldap(domain)
else:
self.baseDN = None
def dns_resolve(self, domain=None, kerberos=True, options=None):
logging.debug('Querying domain controller information from DNS')
basequery = '_ldap._tcp.pdc._msdcs'
if domain is not None:
logging.debug('Using domain hint: %s' % str(domain))
query = '_ldap._tcp.pdc._msdcs.%s' % domain
else:
# Assume a DNS search domain is (correctly) configured on the host
# in which case the resolver will autocomplete our request
query = basequery
try:
q = self.dnsresolver.query(query, 'SRV', tcp=self.dns_tcp)
if str(q.qname).lower().startswith('_ldap._tcp.pdc._msdcs'):
ad_domain = str(q.qname).lower()[len(basequery):].strip('.')
logging.info('Found AD domain: %s' % ad_domain)
self.domain = ad_domain
if self.auth.domain is None:
self.auth.domain = ad_domain
self.baseDN = ADUtils.domain2ldap(ad_domain)
for r in q:
dc = str(r.target).rstrip('.')
logging.debug('Found primary DC: %s' % dc)
if dc not in self._dcs:
self._dcs.append(dc)
except resolver.NXDOMAIN:
pass
try:
q = self.dnsresolver.query(query.replace('pdc', 'gc'),
'SRV',
tcp=self.dns_tcp)
for r in q:
gc = str(r.target).rstrip('.')
logging.debug('Found Global Catalog server: %s' % gc)
if gc not in self._gcs:
self._gcs.append(gc)
except resolver.NXDOMAIN:
# Only show warning if we don't already have a GC specified manually
if options and not options.global_catalog:
if not options.disable_autogc:
logging.warning(
'Could not find a global catalog server, assuming the primary DC has this role\n'
'If this gives errors, either specify a hostname with -gc or disable gc resolution with --disable-autogc'
)
self._gcs = self._dcs
else:
logging.warning(
'Could not find a global catalog server. Please specify one with -gc'
)
if kerberos is True:
try:
q = self.dnsresolver.query('_kerberos._tcp.dc._msdcs',
'SRV',
tcp=self.dns_tcp)
for r in q:
kdc = str(r.target).rstrip('.')
logging.debug('Found KDC: %s' % str(r.target).rstrip('.'))
if kdc not in self._kdcs:
self._kdcs.append(kdc)
self.auth.kdc = self._kdcs[0]
except resolver.NXDOMAIN:
pass
return True