def resolve_binary_sid(self, bsid):
sid = LDAP_SID(bsid).formatCanonical()
out = {}
# Is it a well-known sid?
if sid in ADUtils.WELLKNOWN_SIDS:
out['ObjectID'] = u'%s-%s' % (self.addomain.domain.upper(), sid)
out['ObjectType'] = ADUtils.WELLKNOWN_SIDS[sid][1].capitalize()
else:
try:
entry = self.addomain.sidcache.get(sid)
except KeyError:
# Look it up instead
# Is this SID part of the current domain? If not, use GC
use_gc = not sid.startswith(self.addomain.domain_object.sid)
ldapentry = self.resolver.resolve_sid(sid, use_gc)
# Couldn't resolve...
if not ldapentry:
logging.warning('Could not resolve SID: %s', sid)
# Fake it
entry = {'type': 'Unknown', 'principal': sid}
else:
entry = ADUtils.resolve_ad_entry(ldapentry)
# Entries are cached regardless of validity - unresolvable sids
# are not likely to be resolved the second time and this saves traffic
self.addomain.sidcache.put(sid, entry)
out['ObjectID'] = sid
out['ObjectType'] = entry['type']
return out
def add_user_properties(user, entry):
"""
Resolve properties for user objects
"""
props = user['Properties']
# print entry
# Is user enabled? Checked by seeing if the UAC flag 2 (ACCOUNT_DISABLED) is not set
props['enabled'] = ADUtils.get_entry_property(
entry, 'userAccountControl', default=0) & 2 == 0
props['lastlogon'] = ADUtils.win_timestamp_to_unix(
ADUtils.get_entry_property(entry, 'lastLogon', default=0,
raw=True))
if props['lastlogon'] == 0:
props['lastlogon'] = -1
props['lastlogontimestamp'] = ADUtils.win_timestamp_to_unix(
ADUtils.get_entry_property(entry,
'lastlogontimestamp',
default=0,
raw=True))
if props['lastlogontimestamp'] == 0:
props['lastlogontimestamp'] = -1
props['pwdlastset'] = ADUtils.win_timestamp_to_unix(
ADUtils.get_entry_property(entry,
'pwdLastSet',
default=0,
raw=True))
props['dontreqpreauth'] = ADUtils.get_entry_property(
entry, 'userAccountControl', default=0) & 0x00400000 == 0x00400000
props['pwdneverexpires'] = ADUtils.get_entry_property(
entry, 'userAccountControl', default=0) & 0x00010000 == 0x00010000
props['sensitive'] = ADUtils.get_entry_property(
entry, 'userAccountControl', default=0) & 0x00100000 == 0x00100000
props['serviceprincipalnames'] = ADUtils.get_entry_property(
entry, 'servicePrincipalName', [])
props['hasspn'] = len(props['serviceprincipalnames']) > 0
props['displayname'] = ADUtils.get_entry_property(entry, 'displayName')
props['email'] = ADUtils.get_entry_property(entry, 'mail')
props['title'] = ADUtils.get_entry_property(entry, 'title')
props['homedirectory'] = ADUtils.get_entry_property(
entry, 'homeDirectory')
props['description'] = ADUtils.get_entry_property(entry, 'description')
props['userpassword'] = ADUtils.get_entry_property(
entry, 'userPassword')
props['admincount'] = ADUtils.get_entry_property(
entry, 'adminCount', 0) == 1
if len(
ADUtils.get_entry_property(entry, 'msDS-AllowedToDelegateTo',
[])) > 0:
props['allowedtodelegate'] = ADUtils.get_entry_property(
entry, 'msDS-AllowedToDelegateTo', [])
props['sidhistory'] = [
LDAP_SID(bsid).formatCanonical()
for bsid in ADUtils.get_entry_property(entry, 'sIDHistory', [])
]
def __init__(self, destination, direction, trust_type, flags, domainsid):
self.destination_domain = destination
self.direction = direction
self.type = trust_type
self.flags = flags
# Try catching empty SID
if domainsid:
self.domainsid = LDAP_SID(domainsid).formatCanonical()
else:
logging.debug('Domain %s has empty domain SID',
self.destination_domain)
self.domainsid = ''
def formatSid(siddata):
return LDAP_SID(siddata).formatCanonical()