def _write_config(self):
"""Write the Kerberos configuration file."""
assert self.m_config is not None
ftmp = '%s.%d-tmp' % (self.m_config, os.getpid())
fout = file(ftmp, 'w')
enctypes = ' '.join(self._supported_enctypes())
try:
fout.write('# krb5.conf generated by Python-AD at %s\n' %
time.asctime())
fout.write('[libdefaults]\n')
fout.write(' default_realm = %s\n' % self.m_domain)
fout.write(' dns_lookup_kdc = false\n')
fout.write(' default_tgs_enctypes = %s\n' % enctypes)
fout.write(' default_tkt_enctypes = %s\n' % enctypes)
if compat.disable_reverse_dns():
fout.write(' rdns = no\n')
fout.write('[realms]\n')
for domain in self.m_domains:
fout.write(' %s = {\n' % domain)
for server in self.m_domains[domain]:
fout.write(' kdc = %s:%d\n' % (server, KERBEROS_PORT))
fout.write(' kpasswd_server = %s:%d\n' %
(server, KPASSWD_PORT))
fout.write(' }\n')
fout.close()
os.rename(ftmp, self.m_config)
finally:
try:
os.remove(ftmp)
except OSError:
pass
def _write_config(self):
"""Write the Kerberos configuration file."""
assert self.m_config is not None
ftmp = '%s.%d-tmp' % (self.m_config, os.getpid())
fout = file(ftmp, 'w')
enctypes = ' '.join(self._supported_enctypes())
try:
fout.write('# krb5.conf generated by Python-AD at %s\n' %
time.asctime())
fout.write('[libdefaults]\n')
fout.write(' default_realm = %s\n' % self.m_domain)
fout.write(' dns_lookup_kdc = false\n')
fout.write(' default_tgs_enctypes = %s\n' % enctypes)
fout.write(' default_tkt_enctypes = %s\n' % enctypes)
if compat.disable_reverse_dns():
fout.write(' rdns = no\n')
fout.write('[realms]\n')
for domain in self.m_domains:
fout.write(' %s = {\n' % domain)
for server in self.m_domains[domain]:
fout.write(' kdc = %s:%d\n' % (server, KERBEROS_PORT))
fout.write(' kpasswd_server = %s:%d\n'
% (server, KPASSWD_PORT))
fout.write(' }\n')
fout.close()
os.rename(ftmp, self.m_config)
finally:
try:
os.remove(ftmp)
except OSError:
pass
def _create_ldap_connection(self, uri, bind=True):
"""Open a new LDAP connection and optionally bind it using GSSAPI."""
ld = ldap.initialize(uri)
ld.procotol_version = 3
ld.timelimit = self._timelimit
ld.sizelimit = self._sizelimit
ld.referrals = self._referrals
if compat.disable_reverse_dns():
ld.set_option(ldap.OPT_X_SASL_NOCANON, True)
if bind:
sasl = ldap.sasl.sasl({}, 'GSSAPI')
ld.sasl_interactive_bind_s('', sasl)
return ld
def _create_ldap_connection(self, uri, bind=True):
"""Open a new LDAP connection and optionally bind it using GSSAPI."""
ld = ldap.initialize(uri)
ld.procotol_version = 3
ld.timelimit = self._timelimit
ld.sizelimit = self._sizelimit
ld.referrals = self._referrals
if compat.disable_reverse_dns():
ld.set_option(ldap.OPT_X_SASL_NOCANON, True)
if bind:
sasl = ldap.sasl.sasl({}, 'GSSAPI')
ld.sasl_interactive_bind_s('', sasl)
return ld
def _check_domain_controller(self, reply, role):
"""Check that `server' is a domain controller for `domain' and has
role `role'.
"""
self.m_logger.debug('Checking controller %s for domain %s role %s' %
(reply.q_hostname, reply.q_domain, role))
answer = self._dns_query(reply.q_hostname, 'A')
if len(answer) != 1:
self.m_logger.error('Forward DNS returned %d entries (need 1)' %
len(answer))
return False
address = answer[0].address
if not compat.disable_reverse_dns():
revname = dns.reversename.from_address(address)
answer = self._dns_query(revname, 'PTR')
if len(answer) != 1:
self.m_logger.error(
'Reverse DNS returned %d entries (need 1)' % len(answer))
return False
hostname = answer[0].target.to_text()
answer = self._dns_query(hostname, 'A')
if len(answer) != 1:
self.m_logger.error(
'Second fwd DNS returned %d entries (need 1)' %
len(answer))
return False
if answer[0].address != address:
self.m_logger.error('Second forward DNS does not match first')
return False
if role == 'gc' and not (reply.flags & netlogon.SERVER_GC) or \
role == 'pdc' and not (reply.flags & netlogon.SERVER_PDC) or \
role == 'dc' and not (reply.flags & netlogon.SERVER_LDAP):
self.m_logger.error('Role does not match')
return False
if reply.q_domain.lower() != reply.domain.lower():
self.m_logger.error('Domain does not match')
return False
self.m_logger.debug('Controller is OK')
return True
