def _write_config(self): """Write the Kerberos configuration file.""" assert self.m_config is not None ftmp = '%s.%d-tmp' % (self.m_config, os.getpid()) fout = file(ftmp, 'w') enctypes = ' '.join(self._supported_enctypes()) try: fout.write('# krb5.conf generated by Python-AD at %s\n' % time.asctime()) fout.write('[libdefaults]\n') fout.write(' default_realm = %s\n' % self.m_domain) fout.write(' dns_lookup_kdc = false\n') fout.write(' default_tgs_enctypes = %s\n' % enctypes) fout.write(' default_tkt_enctypes = %s\n' % enctypes) if compat.disable_reverse_dns(): fout.write(' rdns = no\n') fout.write('[realms]\n') for domain in self.m_domains: fout.write(' %s = {\n' % domain) for server in self.m_domains[domain]: fout.write(' kdc = %s:%d\n' % (server, KERBEROS_PORT)) fout.write(' kpasswd_server = %s:%d\n' % (server, KPASSWD_PORT)) fout.write(' }\n') fout.close() os.rename(ftmp, self.m_config) finally: try: os.remove(ftmp) except OSError: pass
def _create_ldap_connection(self, uri, bind=True): """Open a new LDAP connection and optionally bind it using GSSAPI.""" ld = ldap.initialize(uri) ld.procotol_version = 3 ld.timelimit = self._timelimit ld.sizelimit = self._sizelimit ld.referrals = self._referrals if compat.disable_reverse_dns(): ld.set_option(ldap.OPT_X_SASL_NOCANON, True) if bind: sasl = ldap.sasl.sasl({}, 'GSSAPI') ld.sasl_interactive_bind_s('', sasl) return ld
def _check_domain_controller(self, reply, role): """Check that `server' is a domain controller for `domain' and has role `role'. """ self.m_logger.debug('Checking controller %s for domain %s role %s' % (reply.q_hostname, reply.q_domain, role)) answer = self._dns_query(reply.q_hostname, 'A') if len(answer) != 1: self.m_logger.error('Forward DNS returned %d entries (need 1)' % len(answer)) return False address = answer[0].address if not compat.disable_reverse_dns(): revname = dns.reversename.from_address(address) answer = self._dns_query(revname, 'PTR') if len(answer) != 1: self.m_logger.error( 'Reverse DNS returned %d entries (need 1)' % len(answer)) return False hostname = answer[0].target.to_text() answer = self._dns_query(hostname, 'A') if len(answer) != 1: self.m_logger.error( 'Second fwd DNS returned %d entries (need 1)' % len(answer)) return False if answer[0].address != address: self.m_logger.error('Second forward DNS does not match first') return False if role == 'gc' and not (reply.flags & netlogon.SERVER_GC) or \ role == 'pdc' and not (reply.flags & netlogon.SERVER_PDC) or \ role == 'dc' and not (reply.flags & netlogon.SERVER_LDAP): self.m_logger.error('Role does not match') return False if reply.q_domain.lower() != reply.domain.lower(): self.m_logger.error('Domain does not match') return False self.m_logger.debug('Controller is OK') return True