def resolve_binary_sid(self, bsid): sid = LDAP_SID(bsid).formatCanonical() out = {} # Is it a well-known sid? if sid in ADUtils.WELLKNOWN_SIDS: out['ObjectID'] = u'%s-%s' % (self.addomain.domain.upper(), sid) out['ObjectType'] = ADUtils.WELLKNOWN_SIDS[sid][1].capitalize() else: try: entry = self.addomain.sidcache.get(sid) except KeyError: # Look it up instead # Is this SID part of the current domain? If not, use GC use_gc = not sid.startswith(self.addomain.domain_object.sid) ldapentry = self.resolver.resolve_sid(sid, use_gc) # Couldn't resolve... if not ldapentry: logging.warning('Could not resolve SID: %s', sid) # Fake it entry = {'type': 'Unknown', 'principal': sid} else: entry = ADUtils.resolve_ad_entry(ldapentry) # Entries are cached regardless of validity - unresolvable sids # are not likely to be resolved the second time and this saves traffic self.addomain.sidcache.put(sid, entry) out['ObjectID'] = sid out['ObjectType'] = entry['type'] return out
def add_user_properties(user, entry): """ Resolve properties for user objects """ props = user['Properties'] # print entry # Is user enabled? Checked by seeing if the UAC flag 2 (ACCOUNT_DISABLED) is not set props['enabled'] = ADUtils.get_entry_property( entry, 'userAccountControl', default=0) & 2 == 0 props['lastlogon'] = ADUtils.win_timestamp_to_unix( ADUtils.get_entry_property(entry, 'lastLogon', default=0, raw=True)) if props['lastlogon'] == 0: props['lastlogon'] = -1 props['lastlogontimestamp'] = ADUtils.win_timestamp_to_unix( ADUtils.get_entry_property(entry, 'lastlogontimestamp', default=0, raw=True)) if props['lastlogontimestamp'] == 0: props['lastlogontimestamp'] = -1 props['pwdlastset'] = ADUtils.win_timestamp_to_unix( ADUtils.get_entry_property(entry, 'pwdLastSet', default=0, raw=True)) props['dontreqpreauth'] = ADUtils.get_entry_property( entry, 'userAccountControl', default=0) & 0x00400000 == 0x00400000 props['pwdneverexpires'] = ADUtils.get_entry_property( entry, 'userAccountControl', default=0) & 0x00010000 == 0x00010000 props['sensitive'] = ADUtils.get_entry_property( entry, 'userAccountControl', default=0) & 0x00100000 == 0x00100000 props['serviceprincipalnames'] = ADUtils.get_entry_property( entry, 'servicePrincipalName', []) props['hasspn'] = len(props['serviceprincipalnames']) > 0 props['displayname'] = ADUtils.get_entry_property(entry, 'displayName') props['email'] = ADUtils.get_entry_property(entry, 'mail') props['title'] = ADUtils.get_entry_property(entry, 'title') props['homedirectory'] = ADUtils.get_entry_property( entry, 'homeDirectory') props['description'] = ADUtils.get_entry_property(entry, 'description') props['userpassword'] = ADUtils.get_entry_property( entry, 'userPassword') props['admincount'] = ADUtils.get_entry_property( entry, 'adminCount', 0) == 1 if len( ADUtils.get_entry_property(entry, 'msDS-AllowedToDelegateTo', [])) > 0: props['allowedtodelegate'] = ADUtils.get_entry_property( entry, 'msDS-AllowedToDelegateTo', []) props['sidhistory'] = [ LDAP_SID(bsid).formatCanonical() for bsid in ADUtils.get_entry_property(entry, 'sIDHistory', []) ]
def __init__(self, destination, direction, trust_type, flags, domainsid): self.destination_domain = destination self.direction = direction self.type = trust_type self.flags = flags # Try catching empty SID if domainsid: self.domainsid = LDAP_SID(domainsid).formatCanonical() else: logging.debug('Domain %s has empty domain SID', self.destination_domain) self.domainsid = ''
def formatSid(siddata): return LDAP_SID(siddata).formatCanonical()