def get_trusted_domain_user_and_groups(self, object_name):
"""
Returns a tuple with user SID and a list of SIDs of all groups he is
a member of.
First attempts to perform SID lookup via SSSD and in case of failure
resorts back to checking trusted domain's AD DC LDAP directly.
LIMITATIONS:
- only Trusted Admins group members can use this function as it
uses secret for IPA-Trusted domain link if SSSD lookup failed
- List of group SIDs does not contain group memberships outside
of the trusted domain
"""
group_sids = None
group_list = None
object_sid = None
is_valid_sid = is_sid_valid(object_name)
if is_valid_sid:
object_sid = object_name
result = pysss_nss_idmap.getnamebysid(object_name)
if object_name in result and (pysss_nss_idmap.NAME_KEY in result[object_name]):
group_list = pysss.getgrouplist(result[object_name][pysss_nss_idmap.NAME_KEY])
else:
result = pysss_nss_idmap.getsidbyname(object_name)
if object_name in result and (pysss_nss_idmap.SID_KEY in result[object_name]):
object_sid = result[object_name][pysss_nss_idmap.SID_KEY]
group_list = pysss.getgrouplist(object_name)
if not group_list:
return self.__get_trusted_domain_user_and_groups(object_name)
group_sids = pysss_nss_idmap.getsidbyname(group_list)
return (object_sid, [el[1][pysss_nss_idmap.SID_KEY] for el in group_sids.items()])
def test_ignore_unreadable_references(ldap_conn, simple_ad_ignore_unrdbl_refs):
group = 'group3_dom1-17775'
group_id = grp.getgrnam(group).gr_gid
group_sid = 'S-1-5-21-1305200397-2901131868-73388776-82764'
output = pysss_nss_idmap.getsidbyname(group)[group]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.SID_KEY] == group_sid
output = pysss_nss_idmap.getsidbyid(group_id)[group_id]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.SID_KEY] == group_sid
output = pysss_nss_idmap.getsidbygid(group_id)[group_id]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.SID_KEY] == group_sid
output = pysss_nss_idmap.getsidbyuid(group_id)
assert len(output) == 0
output = pysss_nss_idmap.getidbysid(group_sid)[group_sid]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.ID_KEY] == group_id
output = pysss_nss_idmap.getnamebysid(group_sid)[group_sid]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.NAME_KEY] == group
def test_case_insensitive(ldap_conn, simple_ad):
# resolve group and also member of this group
group = 'Domain Users'
group_id = grp.getgrnam(group).gr_gid
group_sid = 'S-1-5-21-1305200397-2901131868-73388776-513'
output = pysss_nss_idmap.getsidbyname(group)[group]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.SID_KEY] == group_sid
output = pysss_nss_idmap.getsidbyid(group_id)[group_id]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.SID_KEY] == group_sid
output = pysss_nss_idmap.getsidbygid(group_id)[group_id]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.SID_KEY] == group_sid
output = pysss_nss_idmap.getsidbyuid(group_id)
assert len(output) == 0
output = pysss_nss_idmap.getidbysid(group_sid)[group_sid]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.ID_KEY] == group_id
output = pysss_nss_idmap.getnamebysid(group_sid)[group_sid]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.NAME_KEY] == group.lower()
def test_group_operations(ldap_conn, simple_ad):
group = 'group1_dom1-19661'
group_id = grp.getgrnam(group).gr_gid
group_sid = 'S-1-5-21-1305200397-2901131868-73388776-82810'
output = pysss_nss_idmap.getsidbyname(group)[group]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.SID_KEY] == group_sid
output = pysss_nss_idmap.getsidbyid(group_id)[group_id]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.SID_KEY] == group_sid
output = pysss_nss_idmap.getsidbygid(group_id)[group_id]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.SID_KEY] == group_sid
output = pysss_nss_idmap.getsidbyuid(group_id)
assert len(output) == 0
output = pysss_nss_idmap.getidbysid(group_sid)[group_sid]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.ID_KEY] == group_id
output = pysss_nss_idmap.getnamebysid(group_sid)[group_sid]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.NAME_KEY] == group
def test_user_operations(ldap_conn, simple_ad):
user = '******'
user_id = pwd.getpwnam(user).pw_uid
user_sid = 'S-1-5-21-1305200397-2901131868-73388776-82809'
output = pysss_nss_idmap.getsidbyname(user)[user]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_USER
assert output[pysss_nss_idmap.SID_KEY] == user_sid
output = pysss_nss_idmap.getsidbyid(user_id)[user_id]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_USER
assert output[pysss_nss_idmap.SID_KEY] == user_sid
output = pysss_nss_idmap.getsidbyuid(user_id)[user_id]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_USER
assert output[pysss_nss_idmap.SID_KEY] == user_sid
output = pysss_nss_idmap.getsidbygid(user_id)
assert len(output) == 0
output = pysss_nss_idmap.getidbysid(user_sid)[user_sid]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_USER
assert output[pysss_nss_idmap.ID_KEY] == user_id
output = pysss_nss_idmap.getnamebysid(user_sid)[user_sid]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_USER
assert output[pysss_nss_idmap.NAME_KEY] == user
def get_trusted_domain_object_sid(self, object_name):
result = pysss_nss_idmap.getsidbyname(object_name)
if object_name in result and (pysss_nss_idmap.SID_KEY in result[object_name]):
object_sid = result[object_name][pysss_nss_idmap.SID_KEY]
return object_sid
# Else, we are going to contact AD DC LDAP
components = normalize_name(object_name)
if not ('domain' in components or 'flatname' in components):
# No domain or realm specified, ambiguous search
raise errors.ValidationError(name=_('trusted domain object'),
error= _('Ambiguous search, user domain was not specified'))
attrs = ['objectSid']
filter = '(&(sAMAccountName=%(name)s)(|(objectClass=user)(objectClass=group)))' \
% dict(name=components['name'])
scope = _ldap.SCOPE_SUBTREE
entries = self.get_trusted_domain_objects(components.get('domain'),
components.get('flatname'), filter, attrs, scope)
if len(entries) > 1:
# Treat non-unique entries as invalid
raise errors.ValidationError(name=_('trusted domain object'),
error= _('Trusted domain did not return a unique object'))
sid = self.__sid_to_str(entries[0][1]['objectSid'][0])
try:
test_sid = security.dom_sid(sid)
return unicode(test_sid)
except TypeError, e:
raise errors.ValidationError(name=_('trusted domain object'),
error= _('Trusted domain did not return a valid SID for the object'))
def test_case_insensitive(ldap_conn, simple_ad):
# resolve group and also member of this group
group = 'Domain Users'
group_id = grp.getgrnam(group).gr_gid
group_sid = 'S-1-5-21-1305200397-2901131868-73388776-513'
output = pysss_nss_idmap.getsidbyname(group)[group]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.SID_KEY] == group_sid
output = pysss_nss_idmap.getsidbyid(group_id)[group_id]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.SID_KEY] == group_sid
output = pysss_nss_idmap.getsidbygid(group_id)[group_id]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.SID_KEY] == group_sid
output = pysss_nss_idmap.getsidbyuid(group_id)
assert len(output) == 0
output = pysss_nss_idmap.getidbysid(group_sid)[group_sid]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.ID_KEY] == group_id
output = pysss_nss_idmap.getnamebysid(group_sid)[group_sid]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.NAME_KEY] == group.lower()
def test_group_operations(ldap_conn, simple_ad):
group = 'group3_dom1-17775'
group_id = grp.getgrnam(group).gr_gid
group_sid = 'S-1-5-21-1305200397-2901131868-73388776-82764'
output = pysss_nss_idmap.getsidbyname(group)[group]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.SID_KEY] == group_sid
output = pysss_nss_idmap.getsidbyid(group_id)[group_id]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.SID_KEY] == group_sid
output = pysss_nss_idmap.getsidbygid(group_id)[group_id]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.SID_KEY] == group_sid
output = pysss_nss_idmap.getsidbyuid(group_id)
assert len(output) == 0
output = pysss_nss_idmap.getidbysid(group_sid)[group_sid]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.ID_KEY] == group_id
output = pysss_nss_idmap.getnamebysid(group_sid)[group_sid]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.NAME_KEY] == group
def test_user_operations(ldap_conn, simple_ad):
user = '******'
user_id = pwd.getpwnam(user).pw_uid
user_sid = 'S-1-5-21-1305200397-2901131868-73388776-82809'
output = pysss_nss_idmap.getsidbyname(user)[user]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_USER
assert output[pysss_nss_idmap.SID_KEY] == user_sid
output = pysss_nss_idmap.getsidbyid(user_id)[user_id]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_USER
assert output[pysss_nss_idmap.SID_KEY] == user_sid
output = pysss_nss_idmap.getsidbyuid(user_id)[user_id]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_USER
assert output[pysss_nss_idmap.SID_KEY] == user_sid
output = pysss_nss_idmap.getsidbygid(user_id)
assert len(output) == 0
output = pysss_nss_idmap.getidbysid(user_sid)[user_sid]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_USER
assert output[pysss_nss_idmap.ID_KEY] == user_id
output = pysss_nss_idmap.getnamebysid(user_sid)[user_sid]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_USER
assert output[pysss_nss_idmap.NAME_KEY] == user
def wbinfo_getsid(domain, user):
'''
Get SID using wbinfo
'''
# This part works only on client
username = '******'.format(domain.upper(), user)
sid = pysss_nss_idmap.getsidbyname(username)
if username in sid:
return sid[username]['sid']
# This part works only on DC
wbinfo_cmd = ['wbinfo', '-n', username]
output = subprocess.check_output(wbinfo_cmd)
sid = output.split()[0].decode('utf-8')
return sid
