def _cache_rawdump_ActiveDirectory(**kwargs):
ad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT)
domains = ad.get_domains()
for d in domains:
workgroup = d['nETBIOSName']
print "w: %s" % workgroup
ucache = FreeNAS_UserCache(dir=workgroup)
if ucache:
for key in ucache.keys():
print "u: %s=%s" % (key, ucache[key])
gcache = FreeNAS_GroupCache(dir=workgroup)
if gcache:
for key in gcache.keys():
print "g: %s=%s" % (key, gcache[key])
ducache = FreeNAS_Directory_UserCache(dir=workgroup)
if ducache:
for key in ducache.keys():
print "du: %s=%s" % (key, ducache[key])
dgcache = FreeNAS_Directory_GroupCache(dir=workgroup)
if dgcache:
for key in dgcache.keys():
print "dg: %s=%s" % (key, dgcache[key])
def Test(self):
try:
self.freenas_ad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT)
if self.freenas_ad.connected():
return self._handler.Pass("ActiveDirectory")
else:
return self._handler.Fail(
"ActiveDirectory",
"Unable to login to the Domain Controller.")
except LDAPError as e:
# LDAPError is dumb, it returns a list with one element for goodness knows what reason
e = e[0]
error = []
desc = e.get('desc')
info = e.get('info')
if desc:
error.append(desc)
if info:
error.append(info)
if error:
error = ', '.join(error)
else:
error = str(e)
return self._handler.Fail("ActiveDirectory", error)
except Exception as e:
return self._handler.Fail("ActiveDirectory", str(e))
def _cache_rawdump_ActiveDirectory(**kwargs):
ad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT)
domains = ad.get_domains()
for d in domains:
workgroup = d['nETBIOSName']
print "w: %s" % workgroup
ucache = FreeNAS_UserCache(dir=workgroup)
if ucache:
for key in ucache.keys():
print "u: %s=%s" % (key, ucache[key])
gcache = FreeNAS_GroupCache(dir=workgroup)
if gcache:
for key in gcache.keys():
print "g: %s=%s" % (key, gcache[key])
ducache = FreeNAS_Directory_UserCache(dir=workgroup)
if ducache:
for key in ducache.keys():
print "du: %s=%s" % (key, ducache[key])
dgcache = FreeNAS_Directory_GroupCache(dir=workgroup)
if dgcache:
for key in dgcache.keys():
print "dg: %s=%s" % (key, dgcache[key])
def directoryservice(self, name):
"""Temporary wrapper to serialize DS connectors"""
if name == 'AD':
ds = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT)
workgroups = []
domains = ds.get_domains()
for d in domains:
if 'nETBIOSName' in d:
netbiosname = d['nETBIOSName']
workgroups.append(netbiosname)
ds.workgroups = workgroups
elif name == 'LDAP':
ds = FreeNAS_LDAP(flags=FLAGS_DBINIT)
else:
raise ValueError('Unknown ds name {0}'.format(name))
data = {}
for i in ('netbiosname', 'keytab_file', 'keytab_principal',
'domainname', 'use_default_domain', 'dchost', 'basedn',
'binddn', 'bindpw', 'userdn', 'groupdn', 'ssl', 'certfile',
'id', 'ad_idmap_backend', 'ds_type', 'krb_realm', 'krbname',
'kpwdname', 'krb_kdc', 'krb_admin_server',
'krb_kpasswd_server', 'workgroups'):
if hasattr(ds, i):
data[i] = getattr(ds, i)
return data
def directoryservice(self, name):
"""Temporary rapper to serialize DS connectors"""
if name == 'AD':
ds = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT)
workgroups = []
domains = ds.get_domains()
for d in domains:
if 'nETBIOSName' in d:
netbiosname = d['nETBIOSName']
workgroups.append(netbiosname)
ds.workgroups = workgroups
elif name == 'LDAP':
ds = FreeNAS_LDAP(flags=FLAGS_DBINIT)
else:
raise ValueError('Unknown ds name {0}'.format(name))
data = {}
for i in (
'netbiosname', 'keytab_file', 'keytab_principal', 'domainname',
'use_default_domain', 'dchost', 'basedn', 'binddn', 'bindpw',
'userdn', 'groupdn', 'ssl', 'certfile', 'id',
'ad_idmap_backend', 'ds_type',
'krb_realm', 'krbname', 'kpwdname',
'krb_kdc', 'krb_admin_server', 'krb_kpasswd_server',
'workgroups'
):
if hasattr(ds, i):
data[i] = getattr(ds, i)
return data
def tryConnect(self, host, port):
max_tries = 3
connected = False
sm_timeout = _fs().middlewared.plugins.service_monitor.socket_timeout
host_list = []
if self.name == 'activedirectory':
for i in range(0, max_tries):
# Make max_tries attempts to get SRV records from DNS
host_list = FreeNAS_ActiveDirectory.get_ldap_servers(host)
if host_list:
break
else:
self.logger.debug(f'[ServiceMonitorThread] Attempt {i} to query SRV records failed')
if not host_list:
self.logger.debug(f'[ServiceMonitorThread] Query for SRV records for {host} failed')
return False
for h in host_list:
port_is_listening = FreeNAS_ActiveDirectory.port_is_listening(str(h.target), h.port, errors=[], timeout=sm_timeout)
if port_is_listening:
return True
else:
self.logger.debug(f'[ServiceMonitorThread] Cannot connect: {h.target}:{h.port}')
connected = False
return connected
else:
self.logger.debug(f'[ServiceMonitorThread] no monitoring has been written for {self.name}')
return False
def _cache_keys_ActiveDirectory(**kwargs):
ad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT)
domains = ad.get_domains()
for d in domains:
workgroup = d['nETBIOSName']
print "w: %s" % workgroup
ucache = FreeNAS_UserCache(dir=workgroup)
if ucache:
for key in ucache.keys():
print "u key: %s" % key
gcache = FreeNAS_GroupCache(dir=workgroup)
if gcache:
for key in gcache.keys():
print "g key: %s" % key
ducache = FreeNAS_Directory_UserCache(dir=workgroup)
if ducache:
for key in ducache.keys():
print "du key: %s" % key
dgcache = FreeNAS_Directory_GroupCache(dir=workgroup)
if dgcache:
for key in dgcache.keys():
print "dg key: %s" % key
def tryConnect(self, host, port):
max_tries = 3
connected = False
sm_timeout = _fs().middlewared.plugins.service_monitor.socket_timeout
host_list = []
if self.name == 'activedirectory':
for i in range(0, max_tries):
# Make max_tries attempts to get SRV records from DNS
host_list = FreeNAS_ActiveDirectory.get_ldap_servers(host)
if host_list:
break
else:
self.logger.debug(f'[ServiceMonitorThread] Attempt {i} to query SRV records failed')
if not host_list:
self.logger.debug(f'[ServiceMonitorThread] Query for SRV records for {host} failed')
return False
for h in host_list:
port_is_listening = FreeNAS_ActiveDirectory.port_is_listening(str(h.target), h.port, errors=[], timeout=sm_timeout)
if port_is_listening:
return True
else:
self.logger.debug(f'[ServiceMonitorThread] Cannot connect: {h.target}:{h.port}')
connected = False
return connected
else:
self.logger.debug(f'[ServiceMonitorThread] no monitoring has been written for {self.name}')
return False
def _cache_keys_ActiveDirectory(**kwargs):
ad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT)
domains = ad.get_domains()
for d in domains:
workgroup = d['nETBIOSName']
print "w: %s" % workgroup
ucache = FreeNAS_UserCache(dir=workgroup)
if ucache:
for key in ucache.keys():
print "u key: %s" % key
gcache = FreeNAS_GroupCache(dir=workgroup)
if gcache:
for key in gcache.keys():
print "g key: %s" % key
ducache = FreeNAS_Directory_UserCache(dir=workgroup)
if ducache:
for key in ducache.keys():
print "du key: %s" % key
dgcache = FreeNAS_Directory_GroupCache(dir=workgroup)
if dgcache:
for key in dgcache.keys():
print "dg key: %s" % key
def _cache_count_ActiveDirectory(**kwargs):
ad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT)
domains = ad.get_domains()
for d in domains:
workgroup = d['nETBIOSName']
print "w: %s" % workgroup
print "u: %ld" % _cachelen(FreeNAS_UserCache(dir=workgroup))
print "g: %ld" % _cachelen(FreeNAS_GroupCache(dir=workgroup))
print "du: %ld" % _cachelen(FreeNAS_Directory_UserCache(dir=workgroup))
print "dg: %ld" % _cachelen(FreeNAS_Directory_GroupCache(dir=workgroup))
print "\n"
def _cache_count_ActiveDirectory(**kwargs):
ad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT)
domains = ad.get_domains()
for d in domains:
workgroup = d['nETBIOSName']
print "w: %s" % workgroup
print "u: %ld" % _cachelen(FreeNAS_UserCache(dir=workgroup))
print "g: %ld" % _cachelen(FreeNAS_GroupCache(dir=workgroup))
print "du: %ld" % _cachelen(FreeNAS_Directory_UserCache(dir=workgroup))
print "dg: %ld" % _cachelen(
FreeNAS_Directory_GroupCache(dir=workgroup))
print "\n"
def ad_status(self):
ret = False
try:
ret = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT).connected()
except:
pass
return ret
def clean_ad_gcname(self):
ad_gcname = self.cleaned_data.get('ad_gcname')
ad_gcport = self.get_gcport()
if not ad_gcname:
return None
parts = ad_gcname.split(':')
ad_gcname = parts[0]
errors = []
try:
ret = FreeNAS_ActiveDirectory.port_is_listening(
host=ad_gcname, port=ad_gcport, errors=errors
)
if ret is False:
raise Exception(
'Invalid Host/Port: %s' % errors[0]
)
except Exception as e:
raise forms.ValidationError('%s.' % e)
return self.cleaned_data.get('ad_gcname')
def clean_ad_gcname(self):
ad_gcname = self.cleaned_data.get('ad_gcname')
ad_gcport = 3268
ad_ssl = self.cleaned_data.get('ad_ssl')
if ad_ssl == 'on':
ad_gcport = 3269
if not ad_gcname:
return None
parts = ad_gcname.split(':')
ad_gcname = parts[0]
if len(parts) > 1 and parts[1].isdigit():
ad_gcport = long(parts[1])
errors = []
try:
ret = FreeNAS_ActiveDirectory.port_is_listening(host=ad_gcname,
port=ad_gcport,
errors=errors)
if ret is False:
raise Exception('Invalid Host/Port: %s' % errors[0])
except Exception as e:
raise forms.ValidationError('%s.' % e)
return self.cleaned_data.get('ad_gcname')
class ActiveDirectory(TestObject):
def __init__(self, handler=None):
super(self.__class__, self).__init__(handler)
self._name = "ActiveDirectory"
self.freenas_ad = None
def Enabled(self):
return activedirectory_enabled()
def Test(self):
try:
self.freenas_ad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT)
if self.freenas_ad.connected():
return self._handler.Pass("ActiveDirectory")
else:
return self._handler.Fail("ActiveDirectory", "Unable to login to the Domain Controller.")
except LDAPError as e:
# LDAPError is dumb, it returns a list with one element for goodness knows what reason
e = e[0]
error = ""
if 'desc' in e:
error = e['desc']
if 'info' in e:
error = "{0}, {1}".format(error, e['info'])
else:
# LDAPError may have desc and info or just info so making a case that handles just info
if 'info' in e:
error = e['info']
else:
error = str(e)
return self._handler.Fail("ActiveDirectory", error)
except Exception as e:
return self._handler.Fail("ActiveDirectory", str(e))
def clean_ad_gcname(self):
ad_gcname = self.cleaned_data.get('ad_gcname')
ad_gcport = 3268
ad_ssl = self.cleaned_data.get('ad_ssl')
if ad_ssl == 'on':
ad_gcport = 3269
if not ad_gcname:
return None
parts = ad_gcname.split(':')
ad_gcname = parts[0]
if len(parts) > 1 and parts[1].isdigit():
ad_gcport = long(parts[1])
errors = []
try:
ret = FreeNAS_ActiveDirectory.port_is_listening(
host=ad_gcname, port=ad_gcport, errors=errors)
if ret is False:
raise Exception('Invalid Host/Port: %s' % errors[0])
except Exception as e:
raise forms.ValidationError('%s.' % e)
return self.cleaned_data.get('ad_gcname')
def Test(self):
try:
self.freenas_ad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT)
if self.freenas_ad.connected():
return self._handler.Pass("ActiveDirectory")
else:
return self._handler.Fail("ActiveDirectory", "Unable to login to the Domain Controller.")
except LDAPError as e:
# LDAPError is dumb, it returns a list with one element for goodness knows what reason
e = e[0]
error = []
desc = e.get('desc')
info = e.get('info')
if desc:
error.append(desc)
if info:
error.append(info)
if error:
error = ', '.join(error)
else:
error = str(e)
return self._handler.Fail("ActiveDirectory", error)
except Exception as e:
return self._handler.Fail("ActiveDirectory", str(e))
def clean(self):
cdata = self.cleaned_data
site = cdata.get("ad_site")
ssl = cdata.get("ad_ssl")
certificate = cdata["ad_certificate"]
if certificate:
certificate = certificate.get_certificate_path()
if not cdata.get("ad_bindpw"):
cdata['ad_bindpw'] = self.instance.ad_bindpw
if not self.instance.ad_kerberos_keytab:
bindname = cdata.get("ad_bindname")
bindpw = cdata.get("ad_bindpw")
domain = cdata.get("ad_domainname")
binddn = "%s@%s" % (bindname, domain)
errors = []
try:
ret = FreeNAS_ActiveDirectory.validate_credentials(
domain,
site=site,
ssl=ssl,
certfile=certificate,
binddn=binddn,
bindpw=bindpw,
errors=errors)
if ret is False:
raise forms.ValidationError("%s." % errors[0])
except FreeNAS_ActiveDirectory_Exception, e:
raise forms.ValidationError('%s.' % e)
def save(self, **kwargs):
if self.ad_bindpw and not self._ad_bindpw_encrypted:
self.ad_bindpw = notifier().pwenc_encrypt(self.ad_bindpw)
self._ad_bindpw_encrypted = True
super(ActiveDirectory, self).save(**kwargs)
if not self.ad_kerberos_realm:
from freenasUI.common.freenasldap import (FreeNAS_ActiveDirectory,
FLAGS_DBINIT)
try:
fad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT)
kr = KerberosRealm.objects.filter(
krb_realm=self.ad_domainname.upper())
if kr:
kr = kr[0]
else:
kr = KerberosRealm()
kr.krb_realm = self.ad_domainname.upper()
kr.save()
self.ad_kerberos_realm = kr
super(ActiveDirectory, self).save()
except Exception as e:
log.debug(
"ActiveDirectory: Unable to create kerberos realm: %s", e)
def set_idmap_rfc2307_secret():
try:
ad = ActiveDirectory.objects.all()[0]
except:
return False
domain = None
idmap = get_idmap_object(ad.ds_type, ad.id, ad.ad_idmap_backend)
try:
fad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT)
domain = fad.netbiosname.upper()
except:
return False
args = ["/usr/local/bin/net", "-d 0", "idmap", "secret"]
net_cmd = "%s '%s' '%s'" % (string.join(
args, ' '), domain, idmap.idmap_rfc2307_ldap_user_dn_password)
p = pipeopen(net_cmd, quiet=True)
net_out = p.communicate()
if net_out and net_out[0]:
for line in net_out[0].split('\n'):
if not line:
continue
print line
ret = True
if p.returncode != 0:
print >> sys.stderr, "Failed to set idmap secret!"
ret = False
return ret
def clean_ad_gcname(self):
ad_gcname = self.cleaned_data.get('ad_gcname')
ad_gcport = self.get_gcport()
if not ad_gcname:
return None
parts = ad_gcname.split(':')
ad_gcname = parts[0]
errors = []
try:
ret = FreeNAS_ActiveDirectory.port_is_listening(
host=ad_gcname, port=ad_gcport, errors=errors
)
if ret is False:
raise Exception(
'Invalid Host/Port: %s' % errors[0]
)
except Exception as e:
raise forms.ValidationError('%s.' % e)
return self.cleaned_data.get('ad_gcname')
def add_activedirectory_conf(smb4_conf):
try:
ad = ActiveDirectory.objects.all()[0]
except:
return
cachedir = "/var/tmp/.cache/.samba"
try:
os.makedirs(cachedir)
os.chmod(cachedir, 0755)
except:
pass
ad_workgroup = None
try:
fad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT)
ad_workgroup = fad.netbiosname.upper()
except:
return
set_netbiosname(smb4_conf, ad.ad_netbiosname)
confset2(smb4_conf, "workgroup = %s", ad_workgroup)
confset2(smb4_conf, "realm = %s", ad.ad_domainname.upper())
confset1(smb4_conf, "security = ADS")
confset1(smb4_conf, "client use spnego = yes")
confset2(smb4_conf, "cache directory = %s", cachedir)
confset1(smb4_conf, "local master = no")
confset1(smb4_conf, "domain master = no")
confset1(smb4_conf, "preferred master = no")
confset2(smb4_conf, "ads dns update = %s",
"yes" if ad.ad_allow_dns_updates else "no")
confset1(smb4_conf, "winbind cache time = 7200")
confset1(smb4_conf, "winbind offline logon = yes")
confset1(smb4_conf, "winbind enum users = yes")
confset1(smb4_conf, "winbind enum groups = yes")
confset1(smb4_conf, "winbind nested groups = yes")
confset2(smb4_conf, "winbind use default domain = %s",
"yes" if ad.ad_use_default_domain else "no")
confset1(smb4_conf, "winbind refresh tickets = yes")
if ad.ad_nss_info:
confset2(smb4_conf, "winbind nss info = %s", ad.ad_nss_info)
idmap = get_idmap_object(ad.ds_type, ad.id, ad.ad_idmap_backend)
configure_idmap_backend(smb4_conf, idmap, ad_workgroup)
confset2(smb4_conf, "allow trusted domains = %s",
"yes" if ad.ad_allow_trusted_doms else "no")
confset2(smb4_conf, "client ldap sasl wrapping = %s",
ad.ad_ldap_sasl_wrapping)
confset1(smb4_conf, "template shell = /bin/sh")
confset2(smb4_conf, "template homedir = %s",
"/home/%D/%U" if not ad.ad_use_default_domain else "/home/%U")
def add_activedirectory(sc):
activedirectory = ActiveDirectory.objects.all()[0]
ad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT)
ad_cookie = ad.netbiosname
ad_domain = 'domain/%s' % ad_cookie
ad_section = None
for key in sc.keys():
if key == ad_domain:
ad_section = sc[key]
break
if not ad_section:
ad_section = SSSDSectionDomain(ad_domain)
ad_section.description = ad_cookie
if ad_section.description != ad_cookie:
return
ad_defaults = [
{ 'enumerate': 'true' },
{ 'id_provider': 'ldap'},
{ 'auth_provider': 'ldap' },
{ 'ldap_schema': 'rfc2307bis' },
{ 'ldap_user_object_class': 'person' },
{ 'ldap_user_name': 'msSFU30Name' },
{ 'ldap_user_uid_number': 'uidNumber' },
{ 'ldap_user_gid_number': 'gidNumber' },
{ 'ldap_user_home_directory': 'homeDirectory' },
{ 'ldap_user_shell': 'loginShell' },
{ 'ldap_user_principal': 'userPrincipalName' },
{ 'ldap_group_object_class': 'group' },
{ 'ldap_group_name': 'msSFU30Name' },
{ 'ldap_group_gid_number': 'gidNumber' },
{ 'ldap_force_upper_case_realm': 'true' },
{ 'use_fully_qualified_names': 'true' }
]
for d in ad_defaults:
key = d.keys()[0]
if not key in ad_section:
setattr(ad_section, key, d[key])
if activedirectory.ad_use_default_domain:
ad_section.use_fully_qualified_names = 'false'
#
# XXX re-work this to use ad object
#
ad_section.ldap_uri = "ldap://%s" % ad.dchost
ad_section.ldap_search_base = ad.basedn
ad_section.ldap_default_bind_dn = ad.binddn
ad_section.ldap_default_authtok_type = 'password'
ad_section.ldap_default_authtok = ad.bindpw
sc[ad_domain] = ad_section
sc['sssd'].add_domain(ad_cookie)
sc['sssd'].add_newline()
def Test(self):
try:
self.freenas_ad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT)
if self.freenas_ad.connected():
return self._handler.Pass("ActiveDirectory")
else:
return self._handler.Fail("ActiveDirectory", "Unable to login to the Domain Controller.")
except Exception as e:
return self._handler.Fail("ActiveDirectory", str(e))
def check_AD(self, host, port):
"""
Basic health checks to determine whether we can recover the AD service if a disruption occurs.
Current tests:
- Clockskew from DC is not greater than 5 minutes (MIT default). Kerberos has strict time requirements.
This can vary based on the kerberos configuration, and so this may need to be a configurable field.
- DC connectivity. We check this by using DNS to get SRV records for LDAP, and then trying to open a socket
to the LDAP(S) port on each of the LDAP servers in the list.
Future tests:
- Validate service account password
- Verify presence of computer object in DA
"""
connected = False
permitted_clockskew = datetime.timedelta(minutes=5)
sm_timeout = _fs().middlewared.plugins.service_monitor.socket_timeout
host_list = FreeNAS_ActiveDirectory.get_ldap_servers(host, self.config['ad_site'])
if not host_list:
self.alert(self.name, f'{self.name}: {host} not in connectable state. DNS query for SRV records for {host} failed.')
self.logger.debug(f'[ServiceMonitorThread] DNS query for SRV records for {host} failed')
return False
for h in host_list:
port_is_listening = FreeNAS_ActiveDirectory.port_is_listening(str(h.target),
h.port,
errors=[],
timeout=sm_timeout)
if port_is_listening:
clockskew_within_spec = self.validate_time(str(h.target), permitted_clockskew)
if not clockskew_within_spec:
return False
return True
else:
self.logger.debug(f'[ServiceMonitorThread] Cannot connect: {h.target}:{h.port}')
connected = False
if not connected:
self.alert(self.name, f'{self.name}: Unable to contact domain controller for {host}. Domain not in connectable state.')
return connected
def clean(self):
cdata = self.cleaned_data
domain = cdata.get("ad_domainname")
bindname = cdata.get("ad_bindname")
binddn = "%s@%s" % (bindname, domain)
bindpw = cdata.get("ad_bindpw")
site = cdata.get("ad_site")
netbiosname = cdata.get("ad_netbiosname_a")
netbiosname_b = cdata.get("ad_netbiosname_b")
ssl = cdata.get("ad_ssl")
certificate = cdata["ad_certificate"]
ad_kerberos_principal = cdata["ad_kerberos_principal"]
workgroup = None
if certificate:
certificate = certificate.get_certificate_path()
args = {
'domain': domain,
'site': site,
'ssl': ssl,
'certfile': certificate
}
if not cdata.get("ad_bindpw"):
bindpw = self.instance.ad_bindpw
cdata['ad_bindpw'] = bindpw
if not ad_kerberos_principal:
if not bindname:
raise forms.ValidationError("No domain account name specified")
if not bindpw:
raise forms.ValidationError(
"No domain account password specified")
errors = []
try:
ret = FreeNAS_ActiveDirectory.validate_credentials(
domain,
site=site,
ssl=ssl,
certfile=certificate,
binddn=binddn,
bindpw=bindpw,
errors=errors)
if ret is False:
raise forms.ValidationError("%s." % errors[0])
except FreeNAS_ActiveDirectory_Exception, e:
raise forms.ValidationError('%s.' % e)
args['binddn'] = binddn
args['bindpw'] = bindpw
def clean(self):
cdata = self.cleaned_data
domain = cdata.get("ad_domainname")
bindname = cdata.get("ad_bindname")
bindpw = cdata.get("ad_bindpw")
site = cdata.get("ad_site")
netbiosname = cdata.get("ad_netbiosname")
netbiosname_b = cdata.get("ad_netbiosname_b")
ssl = cdata.get("ad_ssl")
certificate = cdata["ad_certificate"]
ad_kerberos_principal = cdata["ad_kerberos_principal"]
workgroup = None
if certificate:
certificate = certificate.get_certificate_path()
args = {
'domain': domain,
'site': site,
'ssl': ssl,
'certfile': certificate
}
if not ad_kerberos_principal:
if not cdata.get("ad_bindpw"):
cdata['ad_bindpw'] = self.instance.ad_bindpw
if not bindname:
raise forms.ValidationError("No domain account name specified")
if not bindpw:
raise forms.ValidationError(
"No domain account password specified")
binddn = "%s@%s" % (bindname, domain)
errors = []
try:
ret = FreeNAS_ActiveDirectory.validate_credentials(
domain,
site=site,
ssl=ssl,
certfile=certificate,
binddn=binddn,
bindpw=bindpw,
errors=errors)
if ret is False:
raise forms.ValidationError("%s." % errors[0])
except FreeNAS_ActiveDirectory_Exception, e:
raise forms.ValidationError('%s.' % e)
args['binddn'] = binddn
args['bindpw'] = bindpw
class ActiveDirectory(TestObject):
def __init__(self, handler=None):
super(self.__class__, self).__init__(handler)
self._name = "ActiveDirectory"
self.freenas_ad = None
def Enabled(self):
return activedirectory_enabled()
def Test(self):
try:
self.freenas_ad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT)
if self.freenas_ad.connected():
return self._handler.Pass("ActiveDirectory")
else:
return self._handler.Fail("ActiveDirectory", "Unable to login to the Domain Controller.")
except Exception as e:
return self._handler.Fail("ActiveDirectory", str(e))
def clean(self):
cdata = self.cleaned_data
if not cdata.get("ad_bindpw"):
cdata['ad_bindpw'] = self.instance.ad_bindpw
if self.instance.ad_use_keytab is False:
bindname = cdata.get("ad_bindname")
bindpw = cdata.get("ad_bindpw")
domain = cdata.get("ad_domainname")
binddn = "%s@%s" % (bindname, domain)
errors = []
try:
ret = FreeNAS_ActiveDirectory.validate_credentials(
domain, binddn=binddn, bindpw=bindpw, errors=errors)
if ret is False:
raise forms.ValidationError("%s." % errors[0])
except FreeNAS_ActiveDirectory_Exception, e:
raise forms.ValidationError('%s.' % e)
def clean(self):
cdata = self.cleaned_data
if not cdata.get("ad_bindpw"):
cdata['ad_bindpw'] = self.instance.ad_bindpw
if self.instance.ad_use_keytab is False:
bindname = cdata.get("ad_bindname")
bindpw = cdata.get("ad_bindpw")
domain = cdata.get("ad_domainname")
binddn = "%s@%s" % (bindname, domain)
errors = []
ret = FreeNAS_ActiveDirectory.validate_credentials(
domain, binddn=binddn, bindpw=bindpw, errors=errors
)
if ret is False:
raise forms.ValidationError("%s." % errors[0])
return cdata
def clean(self):
cdata = self.cleaned_data
if not cdata.get("ad_bindpw"):
cdata['ad_bindpw'] = self.instance.ad_bindpw
if not self.instance.ad_kerberos_keytab:
bindname = cdata.get("ad_bindname")
bindpw = cdata.get("ad_bindpw")
domain = cdata.get("ad_domainname")
binddn = "%s@%s" % (bindname, domain)
errors = []
try:
ret = FreeNAS_ActiveDirectory.validate_credentials(
domain, binddn=binddn, bindpw=bindpw, errors=errors
)
if ret is False:
raise forms.ValidationError("%s." % errors[0])
except FreeNAS_ActiveDirectory_Exception, e:
raise forms.ValidationError('%s.' % e)
def clean(self):
cdata = self.cleaned_data
if not cdata.get("ad_bindpw"):
cdata['ad_bindpw'] = self.instance.ad_bindpw
if self.instance.ad_use_keytab == False:
bindname = cdata.get("ad_bindname")
bindpw = cdata.get("ad_bindpw")
domain = cdata.get("ad_domainname")
binddn = "%s@%s" % (bindname, domain)
ret = FreeNAS_ActiveDirectory.validate_credentials(
domain, binddn=binddn, bindpw=bindpw
)
if ret == False:
raise forms.ValidationError(
_("Incorrect password.")
)
return cdata
def forwards(self, orm):
try:
from freenasUI.common.freenasldap import (FreeNAS_ActiveDirectory,
FLAGS_DBINIT)
ad = orm.ActiveDirectory.objects.all()[0]
fad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT)
kr = orm.KerberosRealm()
kr.krb_realm = ad.ad_domainname.upper()
if ad.ad_krbname:
kr.krb_kdc = ad.ad_krbname
else:
kr.krb_kdc = fad.krbname
kr.krb_admin_server = kr.krb_kdc
if ad.ad_kpwdname:
kr.krb_kpasswd_server = ad.ad_kpwdname
else:
kr.krb_kpasswd_server = fad.kpwdname
kr.save()
ad.ad_kerberos_realm = kr
ad.save()
if ad.ad_keytab:
kt = orm.KerberosKeytab()
kt.keytab_principal = "host/%s" % ad.ad_domainname
kt.keytab_file = "/data/%s.keytab" % re.sub(
'[^a-zA-Z0-9]+', '_', kt.keytab_principal)
kt.save()
os.rename(ad.ad_keytab, kt.keytab_file)
os.chmod(kt.keytab_file, 0o400)
ad.ad_kerberos_keytab = kt
ad.save()
except Exception as e:
print("ERROR: %s" % e, file=sys.stderr)
def ldap_conf_activedirectory(ldap_conf):
ad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT)
config = {}
config["URI"] = "%s://%s" % ("ldaps" if ad.ssl == "on" else "ldap",
ad.domainname)
config["BASE"] = ad.basedn
if ad.ssl in ("start_tls", "on"):
if ad.certfile:
config["TLS_CACERT"] = ad.certfile
config["TLS_REQCERT"] = "allow"
#
# So what if the AD server is configured to use SSL or TLS,
# and the idmap backend is as well? WTF? whaddoyoudo?
#
ad = models.ActiveDirectory.objects.all()[0]
if ad.ad_idmap_backend in ("rfc2307", "ldap"):
idmap = get_idmap_object(ad.ds_type, ad.id, ad.ad_idmap_backend)
idmap_url = idmap.get_url()
idmap_url = re.sub('^(ldaps?://)', '', idmap_url)
config["URI"] = "%s://%s" % ("ldaps" if idmap.get_ssl() == "on" else
"ldap", idmap_url)
if idmap.get_ssl() in ('start_tls', 'on'):
capath = get_certificateauthority_path(idmap.get_certificate())
if capath:
config["TLS_CACERT"] = capath
config["TLS_REQCERT"] = "allow"
keys = ["URI", "BASE", "TLS_CACERT", "TLS_REQCERT"]
with open(ldap_conf, "w") as f:
for key in keys:
if key in config:
f.write("%s %s\n" % (key, config[key]))
f.close()
os.chmod(ldap_conf, 0644)
def save(self, **kwargs):
super(ActiveDirectory, self).save(**kwargs)
if not self.ad_kerberos_realm:
from freenasUI.common.freenasldap import (FreeNAS_ActiveDirectory,
FLAGS_DBINIT)
try:
fad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT)
kr = KerberosRealm()
kr.krb_realm = self.ad_domainname.upper()
kr.krb_kdc = fad.krbname
kr.krb_admin_server = kr.krb_kdc
kr.krb_kpasswd_server = fad.kpwdname
kr.save()
self.ad_kerberos_realm = kr
super(ActiveDirectory, self).save()
except Exception as e:
log.debug(
"ActiveDirectory: Unable to create kerberos realm: %s", e)
bindpw=bindpw,
errors=errors)
if ret is False:
raise forms.ValidationError("%s." % errors[0])
except FreeNAS_ActiveDirectory_Exception, e:
raise forms.ValidationError('%s.' % e)
args['binddn'] = binddn
args['bindpw'] = bindpw
else:
args['keytab_principal'] = ad_kerberos_principal.principal_name
args['keytab_file'] = '/etc/krb5.keytab'
try:
workgroup = FreeNAS_ActiveDirectory.get_workgroup_name(**args)
except Exception as e:
raise forms.ValidationError(e)
if workgroup:
if compare_netbios_names(netbiosname, workgroup, None):
raise forms.ValidationError(
_("The NetBIOS name cannot be the same as the workgroup name!"
))
if netbiosname_b:
if compare_netbios_names(netbiosname_b, workgroup, None):
raise forms.ValidationError(
_("The NetBIOS name cannot be the same as the workgroup "
"name!"))
else:
def main():
realms = KerberosRealm.objects.all()
try:
settings = KerberosSettings.objects.all()[0]
except:
settings = None
kc = KerberosConfig(settings=settings)
kc.create_default_config()
ad = ldap = None
ldap_objects = LDAP.objects.all()
if ldap_objects and ldap_objects[0].ldap_enable:
ldap = FreeNAS_LDAP(flags=FLAGS_DBINIT)
ad_objects = ActiveDirectory.objects.all()
if ad_objects and ad_objects[0].ad_enable:
ad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT)
for kr in realms:
if not kr.krb_realm:
continue
krb_kdc, krb_admin_server, krb_kpasswd_server = get_kerberos_servers(
kr, ad, ldap)
bc = KerberosConfigBindingCollection(name=kr.krb_realm)
if krb_kdc:
bc.append(KerberosConfigBinding(name="kdc", value=krb_kdc))
if krb_admin_server:
bc.append(
KerberosConfigBinding(name="admin_server",
value=krb_admin_server))
if krb_kpasswd_server:
bc.append(
KerberosConfigBinding(name="kpasswd_server",
value=krb_kpasswd_server))
bc.append(
KerberosConfigBinding(name="default_domain", value=kr.krb_realm))
kc.add_bindings(['realms'], bc)
bc = KerberosConfigBindingCollection()
bc.append(
KerberosConfigBinding(name=kr.krb_realm.lower(),
value=kr.krb_realm.upper()))
bc.append(
KerberosConfigBinding(name=".%s" % kr.krb_realm.lower(),
value=kr.krb_realm.upper()))
bc.append(
KerberosConfigBinding(name=kr.krb_realm.upper(),
value=kr.krb_realm.upper()))
bc.append(
KerberosConfigBinding(name=".%s" % kr.krb_realm.upper(),
value=kr.krb_realm.upper()))
kc.add_bindings(['domain_realm'], bc)
fp = open("/etc/krb5.conf", "w+")
kc.generate_krb5_conf(stdout=fp)
fp.close()
def start():
db = get_db_values()
if db['cifs']['cifs_srv_netbiosname'] == db['cifs'][
'cifs_srv_netbiosname_b']:
'''
Logic for checking if we've configured samba to only run on the active storage controller
'''
if not Client().call('notifier.failover_status') == "MASTER":
return False
if not db['ad']['ad_enable']:
Client().call('datastore.update', 'directoryservice.ActiveDirectory',
db['ad']['id'], {'ad_enable': 'True'})
if not db['cifs_srv']['srv_enable']:
Client().call('datastore.update', 'services.services',
db['cifs_srv']['id'], {'srv_enable': 'True'})
favored_dc = None
dcs = FNAD.get_domain_controllers(db['ad']['ad_domainname'],
site=db['ad']['ad_site'],
ssl=db['ad']['ad_ssl'])
'''
For performing domain join / AD start, we minimize the amount
of complex operations that we're performing. This avoiding an
extra LDAP bind here if possible.
'''
if len(dcs) <= 1:
favored_dc = FNAD.get_best_host(dcs)
print(f'favored dc is {favored_dc}')
else:
'''
locate_site() requires an LDAP connection
'''
fn = FNAD(flags=FLAGS_DBINIT)
print("locating site")
site = fn.locate_site()
dcs = fn.get_domain_controllers(db['ad']['ad_domainname'],
site,
ssl=db['ad']['ad_ssl'])
if len(dcs) <= 5:
favored_dc = FNAD.get_best_host(dcs)
service_launcher("ix-hostname", "quietstart")
try:
krb_realm = (db['ad']['ad_kerberos_realm']['krb_realm'])
except:
krb_realm = (db['ad']['ad_domainname'])
service_launcher("ix-kerberos", command=f'quietstart default {krb_realm}')
Client().call('etc.generate', 'nss')
if db['ldap']['ldap_enable']:
print('generating ldap_conf')
Client().call('etc.generate', 'ldap')
if not service_launcher("ix-kinit", "status"):
if not service_launcher("ix-kinit", "quietstart"):
print("ix-kinit failed")
if db['ad']['ad_unix_extensions']:
service_launcher("ix-sssd", "start")
if service_launcher("sssd", "status"):
service_launcher("sssd", "restart")
else:
service_launcher("sssd", "start")
service_launcher("ix-pre-samba", "start")
if not netads(db, "testjoin", bind_dc=favored_dc):
print('preparing to join domain')
netads(db, "join", bind_dc=favored_dc)
service_launcher("samba_server", "restart")
Client().call('etc.generate', 'pam')
service_launcher("ix-cache", "quietstart")
def _cache_check_ActiveDirectory(**kwargs):
if not kwargs.has_key('args') and kwargs['args']:
return
valid = {}
ad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT)
domains = ad.get_domains()
for d in domains:
workgroup = d['nETBIOSName']
valid[workgroup] = True
for arg in kwargs['args']:
key = val = None
if arg.startswith("u="):
key = "u"
val = arg.partition("u=")[2]
elif arg.startswith("g="):
key = "g"
val = arg.partition("g=")[2]
elif arg.startswith("du="):
key = "du"
val = arg.partition("du=")[2]
elif arg.startswith("dg="):
key = "dg"
val = arg.partition("dg=")[2]
else:
continue
if key in ('u', 'g'):
parts = val.split('\\')
if len(parts) < 2:
continue
workgroup = parts[0]
if not valid.has_key(workgroup):
continue
ucache = FreeNAS_UserCache(dir=workgroup)
gcache = FreeNAS_GroupCache(dir=workgroup)
ducache = FreeNAS_Directory_UserCache(dir=workgroup)
dgcache = FreeNAS_Directory_GroupCache(dir=workgroup)
if key == 'u':
if ucache and ucache.has_key(val) and ucache[val]:
print "%s: %s" % (val, ucache[val])
elif key == 'g':
if gcache and gcache.has_key(val) and gcache[val]:
print "%s: %s" % (val, gcache[val])
elif key in ('du', 'dg'):
for workgroup in valid.keys():
ucache = FreeNAS_UserCache(dir=workgroup)
gcache = FreeNAS_GroupCache(dir=workgroup)
ducache = FreeNAS_Directory_UserCache(dir=workgroup)
dgcache = FreeNAS_Directory_GroupCache(dir=workgroup)
if key == 'du':
if ducache and ducache.has_key(val) and ducache[val]:
print "%s: %s" % (val, ducache[val])
elif key == 'dg':
if dgcache and dgache.has_key(val) and dgcache[val]:
print "%s: %s" % (val, dgcache[val])
def _cache_check_ActiveDirectory(**kwargs):
if 'args' not in kwargs and kwargs['args']:
return
valid = {}
ad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT)
domains = ad.get_domains()
for d in domains:
workgroup = d['nETBIOSName']
valid[workgroup] = True
for arg in kwargs['args']:
key = val = None
if arg.startswith("u="):
key = "u"
val = arg.partition("u=")[2]
elif arg.startswith("g="):
key = "g"
val = arg.partition("g=")[2]
elif arg.startswith("du="):
key = "du"
val = arg.partition("du=")[2]
elif arg.startswith("dg="):
key = "dg"
val = arg.partition("dg=")[2]
else:
continue
if key in ('u', 'g'):
parts = val.split('\\')
if len(parts) < 2:
continue
workgroup = parts[0]
if workgroup not in valid:
continue
ucache = FreeNAS_UserCache(dir=workgroup)
gcache = FreeNAS_GroupCache(dir=workgroup)
ducache = FreeNAS_Directory_UserCache(dir=workgroup)
dgcache = FreeNAS_Directory_GroupCache(dir=workgroup)
if key == 'u':
if ucache and val in ucache and ucache[val]:
print "%s: %s" % (val, ucache[val])
elif key == 'g':
if gcache and val in gcache and gcache[val]:
print "%s: %s" % (val, gcache[val])
elif key in ('du', 'dg'):
for workgroup in valid.keys():
ucache = FreeNAS_UserCache(dir=workgroup)
gcache = FreeNAS_GroupCache(dir=workgroup)
ducache = FreeNAS_Directory_UserCache(dir=workgroup)
dgcache = FreeNAS_Directory_GroupCache(dir=workgroup)
if key == 'du':
if ducache and val in ducache and ducache[val]:
print "%s: %s" % (val, ducache[val])
elif key == 'dg':
if dgcache and val in dgcache and dgcache[val]:
print "%s: %s" % (val, dgcache[val])
def add_activedirectory(sc):
activedirectory = ActiveDirectory.objects.all()[0]
ad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT)
use_ad_provider = False
ad_cookie = ad.netbiosname
ad_domain = 'domain/%s' % ad_cookie
ad_section = None
for key in sc.keys():
if key == ad_domain:
ad_section = sc[key]
break
if not ad_section:
ad_section = SSSDSectionDomain(ad_domain)
ad_section.description = ad_cookie
if ad_section.description != ad_cookie:
return
ad_defaults = [{
'enumerate': 'true'
}, {
'id_provider': 'ldap'
}, {
'auth_provider': 'ldap'
}, {
'access_provider': 'ldap'
}, {
'chpass_provider': 'ldap'
}, {
'ldap_schema': 'rfc2307bis'
}, {
'ldap_user_object_class': 'person'
}, {
'ldap_user_name': 'msSFU30Name'
}, {
'ldap_user_uid_number': 'uidNumber'
}, {
'ldap_user_gid_number': 'gidNumber'
}, {
'ldap_user_home_directory': 'unixHomeDirectory'
}, {
'ldap_user_shell': 'loginShell'
}, {
'ldap_user_principal': 'userPrincipalName'
}, {
'ldap_group_object_class': 'group'
}, {
'ldap_group_name': 'msSFU30Name'
}, {
'ldap_group_gid_number': 'gidNumber'
}, {
'ldap_force_upper_case_realm': 'true'
}, {
'use_fully_qualified_names': 'true'
}]
__, hostname, __ = os.uname()[0:3]
if ad.keytab_name and ad.kerberos_realm and os.path.exists(ad.keytab_file):
use_ad_provider = True
if use_ad_provider:
for d in ad_defaults:
key = d.keys()[0]
if key.startswith("ldap_") and key in d:
del d[key]
elif key.endswith("_provider"):
d[key] = 'ad'
ad_section.ad_hostname = hostname
ad_section.ad_domain = ad.domainname
ad_section.ldap_id_mapping = False
for d in ad_defaults:
if not d:
continue
key = d.keys()[0]
if not key in ad_section:
setattr(ad_section, key, d[key])
if activedirectory.ad_use_default_domain:
ad_section.use_fully_qualified_names = 'false'
try:
shares = CIFS_Share.objects.all()
for share in shares:
if share.cifs_home and share.cifs_path:
if ad.use_default_domain:
homedir_path = "%s/%%u" % share.cifs_path
else:
homedir_path = "%s/%%d/%%u" % share.cifs_path
ad_section.override_homedir = homedir_path
except Exception as e:
pass
if use_ad_provider:
pass
# ad_section.auth_provider = 'krb5'
# ad_section.chpass_provider = 'krb5'
# ad_section.ldap_sasl_mech = 'GSSAPI'
# ad_section.ldap_sasl_authid = ad.keytab_principal
# ad_section.krb5_server = ad.krb_kdc
# ad_section.krb5_realm = ad.krb_realm
# ad_section.krb5_canonicalize = 'false'
else:
ad_section.ldap_uri = "ldap://%s" % ad.dchost
ad_section.ldap_search_base = ad.basedn
ad_section.ldap_default_bind_dn = ad.binddn
ad_section.ldap_default_authtok_type = 'password'
ad_section.ldap_default_authtok = ad.bindpw
sc[ad_domain] = ad_section
sc['sssd'].add_domain(ad_cookie)
sc['sssd'].add_newline()
def clean(self):
cdata = self.cleaned_data
domain = cdata.get("ad_domainname")
bindname = cdata.get("ad_bindname")
binddn = "%s@%s" % (bindname, domain)
bindpw = cdata.get("ad_bindpw")
site = cdata.get("ad_site")
netbiosname = cdata.get("ad_netbiosname_a")
netbiosname_b = cdata.get("ad_netbiosname_b")
ssl = cdata.get("ad_ssl")
certificate = cdata["ad_certificate"]
ad_kerberos_principal = cdata["ad_kerberos_principal"]
workgroup = None
if certificate:
certificate = certificate.get_certificate_path()
args = {
'domain': domain,
'site': site,
'ssl': ssl,
'certfile': certificate
}
if not cdata.get("ad_bindpw"):
bindpw = self.instance.ad_bindpw
cdata['ad_bindpw'] = bindpw
if cdata.get("ad_enable") is False:
return cdata
if not ad_kerberos_principal:
if not bindname:
raise forms.ValidationError("No domain account name specified")
if not bindpw:
raise forms.ValidationError(
"No domain account password specified")
try:
FreeNAS_ActiveDirectory.validate_credentials(
domain,
site=site,
ssl=ssl,
certfile=certificate,
binddn=binddn,
bindpw=bindpw)
except LDAPError as e:
# LDAPError is dumb, it returns a list with one element for goodness knows what reason
e = e[0]
error = []
desc = e.get('desc')
info = e.get('info')
if desc:
error.append(desc)
if info:
error.append(info)
if error:
error = ', '.join(error)
else:
error = str(e)
raise forms.ValidationError("{0}".format(error))
except Exception as e:
raise forms.ValidationError('{0}.'.format(str(e)))
args['binddn'] = binddn
args['bindpw'] = bindpw
else:
args['keytab_principal'] = ad_kerberos_principal.principal_name
args['keytab_file'] = '/etc/krb5.keytab'
try:
workgroup = FreeNAS_ActiveDirectory.get_workgroup_name(**args)
except Exception as e:
raise forms.ValidationError(e)
if workgroup:
if compare_netbios_names(netbiosname, workgroup, None):
raise forms.ValidationError(
_("The NetBIOS name cannot be the same as the workgroup name!"
))
if netbiosname_b:
if compare_netbios_names(netbiosname_b, workgroup, None):
raise forms.ValidationError(
_("The NetBIOS name cannot be the same as the workgroup "
"name!"))
else:
log.warn("Unable to determine workgroup name")
if ssl in ("off", None):
return cdata
if not certificate:
raise forms.ValidationError(
"SSL/TLS specified without certificate")
return cdata
def clean(self):
cdata = self.cleaned_data
domain = cdata.get("ad_domainname")
bindname = cdata.get("ad_bindname")
binddn = "%s@%s" % (bindname, domain)
bindpw = cdata.get("ad_bindpw")
site = cdata.get("ad_site")
netbiosname = cdata.get("ad_netbiosname_a")
netbiosname_b = cdata.get("ad_netbiosname_b")
ssl = cdata.get("ad_ssl")
certificate = cdata["ad_certificate"]
ad_kerberos_principal = cdata["ad_kerberos_principal"]
workgroup = None
if certificate:
certificate = certificate.get_certificate_path()
args = {
'domain': domain,
'site': site,
'ssl': ssl,
'certfile': certificate
}
if not cdata.get("ad_bindpw"):
bindpw = self.instance.ad_bindpw
cdata['ad_bindpw'] = bindpw
if cdata.get("ad_enable") is False:
return cdata
if not ad_kerberos_principal:
if not bindname:
raise forms.ValidationError("No domain account name specified")
if not bindpw:
raise forms.ValidationError("No domain account password specified")
try:
FreeNAS_ActiveDirectory.validate_credentials(
domain,
site=site,
ssl=ssl,
certfile=certificate,
binddn=binddn,
bindpw=bindpw
)
except LDAPError as e:
# LDAPError is dumb, it returns a list with one element for goodness knows what reason
e = e[0]
error = []
desc = e.get('desc')
info = e.get('info')
if desc:
error.append(desc)
if info:
error.append(info)
if error:
error = ', '.join(error)
else:
error = str(e)
raise forms.ValidationError("{0}".format(error))
except Exception as e:
raise forms.ValidationError('{0}.'.format(str(e)))
args['binddn'] = binddn
args['bindpw'] = bindpw
else:
args['keytab_principal'] = ad_kerberos_principal.principal_name
args['keytab_file'] = '/etc/krb5.keytab'
try:
workgroup = FreeNAS_ActiveDirectory.get_workgroup_name(**args)
except Exception as e:
raise forms.ValidationError(e)
if workgroup:
if compare_netbios_names(netbiosname, workgroup, None):
raise forms.ValidationError(_(
"The NetBIOS name cannot be the same as the workgroup name!"
))
if netbiosname_b:
if compare_netbios_names(netbiosname_b, workgroup, None):
raise forms.ValidationError(_(
"The NetBIOS name cannot be the same as the workgroup "
"name!"
))
else:
log.warn("Unable to determine workgroup name")
if ssl in ("off", None):
return cdata
if not certificate:
raise forms.ValidationError(
"SSL/TLS specified without certificate")
return cdata
binddn=binddn,
bindpw=bindpw,
errors=errors)
if ret is False:
raise forms.ValidationError("%s." % errors[0])
except FreeNAS_ActiveDirectory_Exception, e:
raise forms.ValidationError('%s.' % e)
args['binddn'] = binddn
args['bindpw'] = bindpw
else:
args['keytab_principal'] = ad_kerberos_principal.principal_name
args['keytab_file'] = '/etc/krb5.keytab'
workgroup = FreeNAS_ActiveDirectory.get_workgroup_name(**args)
if workgroup:
if compare_netbios_names(netbiosname, workgroup, None):
raise forms.ValidationError(
_("The NetBIOS name cannot be the same as the workgroup name!"
))
if netbiosname_b:
if compare_netbios_names(netbiosname_b, workgroup, None):
raise forms.ValidationError(
_("The NetBIOS name cannot be the same as the workgroup "
"name!"))
else:
log.warn("Unable to determine workgroup name")
if ssl in ("off", None):
def clean(self):
cdata = self.cleaned_data
domain = cdata.get("ad_domainname")
bindname = cdata.get("ad_bindname")
binddn = "%s@%s" % (bindname, domain)
bindpw = cdata.get("ad_bindpw")
site = cdata.get("ad_site")
netbiosname = cdata.get("ad_netbiosname_a")
netbiosname_b = cdata.get("ad_netbiosname_b")
ssl = cdata.get("ad_ssl")
certificate = cdata["ad_certificate"]
ad_kerberos_principal = cdata["ad_kerberos_principal"]
workgroup = None
if certificate:
with client as c:
certificate = c.call('certificateauthority.query',
[['id', '=', certificate.id]],
{'get': True})
certificate = certificate['certificate_path']
args = {
'domain': domain,
'site': site,
'ssl': ssl,
'certfile': certificate
}
if not cdata.get("ad_bindpw"):
bindpw = self.instance.ad_bindpw
cdata['ad_bindpw'] = bindpw
if cdata.get("ad_enable") is False:
return cdata
if not ad_kerberos_principal:
if not bindname:
raise forms.ValidationError("No domain account name specified")
if not bindpw:
raise forms.ValidationError(
"No domain account password specified")
try:
FreeNAS_ActiveDirectory.validate_credentials(
domain,
site=site,
ssl=ssl,
certfile=certificate,
binddn=binddn,
bindpw=bindpw)
except LDAPError as e:
log.debug("LDAPError: type = %s", type(e))
error = []
try:
error.append(e.args[0]['info'])
error.append(e.args[0]['desc'])
error = ', '.join(error)
except Exception as e:
error = str(e)
raise forms.ValidationError("{0}".format(error))
except Exception as e:
log.debug("Exception: type = %s", type(e))
raise forms.ValidationError('{0}.'.format(str(e)))
args['binddn'] = binddn
args['bindpw'] = bindpw
else:
args['keytab_principal'] = ad_kerberos_principal.principal_name
args['keytab_file'] = '/etc/krb5.keytab'
try:
workgroup = FreeNAS_ActiveDirectory.get_workgroup_name(**args)
except Exception as e:
raise forms.ValidationError(e)
if workgroup:
if compare_netbios_names(netbiosname, workgroup, None):
raise forms.ValidationError(
_("The NetBIOS name cannot be the same as the workgroup name!"
))
if netbiosname_b:
if compare_netbios_names(netbiosname_b, workgroup, None):
raise forms.ValidationError(
_("The NetBIOS name cannot be the same as the workgroup "
"name!"))
else:
log.warn("Unable to determine workgroup name")
if ssl in ("off", None):
return cdata
if not certificate:
raise forms.ValidationError(
"SSL/TLS specified without certificate")
return cdata
def main():
"""Use the django ORM to generate a config file. We'll build the
config file as a series of lines, and once that is done write it
out in one go"""
map_acls_mode = False
afp_config = "/usr/local/etc/afp.conf"
cf_contents = []
afp = AFP.objects.order_by('-id')[0]
cf_contents.append("[Global]\n")
uam_list = ['uams_dhx.so', 'uams_dhx2.so']
if afp.afp_srv_guest:
uam_list.append('uams_guest.so')
cf_contents.append('\tguest account = %s\n' % afp.afp_srv_guest_user)
# uams_gss.so bails out with an error if kerberos isn't configured
if KerberosKeytab.objects.count() > 0:
uam_list.append('uams_gss.so')
cf_contents.append('\tuam list = %s\n' % (" ").join(uam_list))
if afp.afp_srv_bindip:
cf_contents.append("\tafp listen = %s\n" %
' '.join(afp.afp_srv_bindip))
cf_contents.append("\tmax connections = %s\n" %
afp.afp_srv_connections_limit)
cf_contents.append("\tmimic model = RackMac\n")
if afp.afp_srv_dbpath:
cf_contents.append("\tvol dbnest = no\n")
cf_contents.append("\tvol dbpath = %s\n" % afp.afp_srv_dbpath)
else:
cf_contents.append("\tvol dbnest = yes\n")
if afp.afp_srv_global_aux:
cf_contents.append("\t%s" % afp.afp_srv_global_aux.encode('utf8'))
if afp.afp_srv_map_acls:
cf_contents.append("\tmap acls = %s\n" % afp.afp_srv_map_acls)
if afp.afp_srv_map_acls == 'mode' and activedirectory_enabled():
map_acls_mode = True
if map_acls_mode:
ad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT)
cf_contents.append("\tldap auth method = %s\n" % "simple")
cf_contents.append("\tldap auth dn = %s\n" % ad.binddn)
cf_contents.append("\tldap auth pw = %s\n" % ad.bindpw)
cf_contents.append("\tldap server = %s\n" % ad.domainname)
cf_contents.append("\tldap userbase = %s\n" % ad.userdn)
cf_contents.append("\tldap userscope = %s\n" % "sub")
cf_contents.append("\tldap groupbase = %s\n" % ad.groupdn)
cf_contents.append("\tldap groupscope = %s\n" % "sub")
cf_contents.append("\tldap user filter = %s\n" % "objectclass=user")
cf_contents.append("\tldap group filter = %s\n" % "objectclass=group")
cf_contents.append("\tldap uuid attr = %s\n" % "objectGUID")
cf_contents.append("\tldap uuid encoding = %s\n" % "ms-guid")
cf_contents.append("\tldap name attr = %s\n" % "sAMAccountName")
cf_contents.append("\tldap group attr = %s\n" % "sAMAccountName")
cf_contents.append("\n")
if afp.afp_srv_homedir_enable:
cf_contents.append("[Homes]\n")
cf_contents.append("\tbasedir regex = %s\n" % afp.afp_srv_homedir)
if afp.afp_srv_homename:
cf_contents.append("\thome name = %s\n" % afp.afp_srv_homename)
cf_contents.append("\n")
for share in AFP_Share.objects.all():
cf_contents.append("[%s]\n" % share.afp_name)
cf_contents.append("\tpath = %s\n" % share.afp_path)
if share.afp_allow:
cf_contents.append("\tvalid users = %s\n" % share.afp_allow)
if share.afp_deny:
cf_contents.append("\tinvalid users = %s\n" % share.afp_deny)
if share.afp_hostsallow:
cf_contents.append("\thosts allow = %s\n" % share.afp_hostsallow)
if share.afp_hostsdeny:
cf_contents.append("\thosts deny = %s\n" % share.afp_hostsdeny)
if share.afp_ro:
cf_contents.append("\trolist = %s\n" % share.afp_ro)
if share.afp_rw:
cf_contents.append("\trwlist = %s\n" % share.afp_rw)
if share.afp_timemachine:
cf_contents.append("\ttime machine = yes\n")
if not share.afp_nodev:
cf_contents.append("\tcnid dev = no\n")
if share.afp_nostat:
cf_contents.append("\tstat vol = no\n")
if not share.afp_upriv:
cf_contents.append("\tunix priv = no\n")
else:
if share.afp_fperm and not map_acls_mode:
cf_contents.append("\tfile perm = %s\n" % share.afp_fperm)
if share.afp_dperm and not map_acls_mode:
cf_contents.append("\tdirectory perm = %s\n" % share.afp_dperm)
if share.afp_umask and not map_acls_mode:
cf_contents.append("\tumask = %s\n" % share.afp_umask)
cf_contents.append("\tveto files = .windows/.mac/\n")
if map_acls_mode:
cf_contents.append("\tacls = yes\n")
with open(afp_config, "w") as fh:
for line in cf_contents:
fh.write(line)
def add_activedirectory_conf(smb4_conf):
rid_range_start = 20000
rid_range_end = 20000000
ad_range_start = 10000
ad_range_end = 90000000
try:
ad = ActiveDirectory.objects.all()[0]
except:
return
cachedir = "/var/tmp/.cache/.samba"
try:
os.makedirs(cachedir)
except:
pass
ad_workgroup = None
try:
fad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT)
ad_workgroup = fad.netbiosname.upper()
except:
return
confset2(smb4_conf, "netbios name = %s", ad.ad_netbiosname.upper())
confset2(smb4_conf, "workgroup = %s", ad_workgroup)
confset2(smb4_conf, "realm = %s", ad.ad_domainname.upper())
confset1(smb4_conf, "security = ADS")
confset1(smb4_conf, "client use spnego = yes")
confset2(smb4_conf, "cache directory = %s", cachedir)
confset1(smb4_conf, "local master = no")
confset1(smb4_conf, "domain master = no")
confset1(smb4_conf, "preferred master = no")
confset1(smb4_conf, "acl check permissions = true")
confset1(smb4_conf, "acl map full control = true")
confset1(smb4_conf, "dos filemode = yes")
confset1(smb4_conf, "winbind cache time = 7200")
confset1(smb4_conf, "winbind offline logon = yes")
confset1(smb4_conf, "winbind enum users = yes")
confset1(smb4_conf, "winbind enum groups = yes")
confset1(smb4_conf, "winbind nested groups = yes")
confset2(smb4_conf, "winbind use default domain = %s",
"yes" if ad.ad_use_default_domain else "no")
confset1(smb4_conf, "winbind refresh tickets = yes")
if ad.ad_unix_extensions:
confset1(smb4_conf, "winbind nss info = rfc2307")
idmap = get_idmap_object(ad.ds_type, ad.id, ad.ad_idmap_backend)
configure_idmap_backend(smb4_conf, idmap, ad_workgroup)
confset2(smb4_conf, "allow trusted domains = %s",
"yes" if ad.ad_allow_trusted_doms else "no")
confset1(smb4_conf, "template shell = /bin/sh")
confset2(smb4_conf, "template homedir = %s",
"/home/%D/%U" if not ad.ad_use_default_domain else "/home/%U")
