def get_trusted_domain_user_and_groups(self, object_name): """ Returns a tuple with user SID and a list of SIDs of all groups he is a member of. First attempts to perform SID lookup via SSSD and in case of failure resorts back to checking trusted domain's AD DC LDAP directly. LIMITATIONS: - only Trusted Admins group members can use this function as it uses secret for IPA-Trusted domain link if SSSD lookup failed - List of group SIDs does not contain group memberships outside of the trusted domain """ group_sids = None group_list = None object_sid = None is_valid_sid = is_sid_valid(object_name) if is_valid_sid: object_sid = object_name result = pysss_nss_idmap.getnamebysid(object_name) if object_name in result and (pysss_nss_idmap.NAME_KEY in result[object_name]): group_list = pysss.getgrouplist(result[object_name][pysss_nss_idmap.NAME_KEY]) else: result = pysss_nss_idmap.getsidbyname(object_name) if object_name in result and (pysss_nss_idmap.SID_KEY in result[object_name]): object_sid = result[object_name][pysss_nss_idmap.SID_KEY] group_list = pysss.getgrouplist(object_name) if not group_list: return self.__get_trusted_domain_user_and_groups(object_name) group_sids = pysss_nss_idmap.getsidbyname(group_list) return (object_sid, [el[1][pysss_nss_idmap.SID_KEY] for el in group_sids.items()])
def get_group_list(user, include_default=True): """ Returns a list of all of the system group names of which the user is a member. """ if HAS_GRP is False or HAS_PWD is False: return [] group_names = None ugroups = set() if hasattr(os, "getgrouplist"): # Try os.getgrouplist, available in python >= 3.3 log.trace("Trying os.getgrouplist for '%s'", user) try: group_names = [ grp.getgrgid(grpid).gr_name for grpid in os.getgrouplist(user, pwd.getpwnam(user).pw_gid) ] except Exception: # pylint: disable=broad-except pass elif HAS_PYSSS: # Try pysss.getgrouplist log.trace("Trying pysss.getgrouplist for '%s'", user) try: group_names = list(pysss.getgrouplist(user)) except Exception: # pylint: disable=broad-except pass if group_names is None: # Fall back to generic code # Include the user's default group to match behavior of # os.getgrouplist() and pysss.getgrouplist() log.trace("Trying generic group list for '%s'", user) group_names = [g.gr_name for g in grp.getgrall() if user in g.gr_mem] try: default_group = get_default_group(user) if default_group not in group_names: group_names.append(default_group) except KeyError: # If for some reason the user does not have a default group pass if group_names is not None: ugroups.update(group_names) if include_default is False: # Historically, saltstack code for getting group lists did not # include the default group. Some things may only want # supplemental groups, so include_default=False omits the users # default group. try: default_group = grp.getgrgid(pwd.getpwnam(user).pw_gid).gr_name ugroups.remove(default_group) except KeyError: # If for some reason the user does not have a default group pass log.trace("Group list for user '%s': %s", user, sorted(ugroups)) return sorted(ugroups)
def get_group_list(self): import pysss return pysss.getgrouplist(self.user)
def get_group_list(self): return pysss.getgrouplist(self.user)
def get_group_list(self): return pysss.getgrouplist(self.user)