def _cache_rawdump_ActiveDirectory(**kwargs): ad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT) domains = ad.get_domains() for d in domains: workgroup = d['nETBIOSName'] print "w: %s" % workgroup ucache = FreeNAS_UserCache(dir=workgroup) if ucache: for key in ucache.keys(): print "u: %s=%s" % (key, ucache[key]) gcache = FreeNAS_GroupCache(dir=workgroup) if gcache: for key in gcache.keys(): print "g: %s=%s" % (key, gcache[key]) ducache = FreeNAS_Directory_UserCache(dir=workgroup) if ducache: for key in ducache.keys(): print "du: %s=%s" % (key, ducache[key]) dgcache = FreeNAS_Directory_GroupCache(dir=workgroup) if dgcache: for key in dgcache.keys(): print "dg: %s=%s" % (key, dgcache[key])
def Test(self): try: self.freenas_ad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT) if self.freenas_ad.connected(): return self._handler.Pass("ActiveDirectory") else: return self._handler.Fail( "ActiveDirectory", "Unable to login to the Domain Controller.") except LDAPError as e: # LDAPError is dumb, it returns a list with one element for goodness knows what reason e = e[0] error = [] desc = e.get('desc') info = e.get('info') if desc: error.append(desc) if info: error.append(info) if error: error = ', '.join(error) else: error = str(e) return self._handler.Fail("ActiveDirectory", error) except Exception as e: return self._handler.Fail("ActiveDirectory", str(e))
def _cache_rawdump_ActiveDirectory(**kwargs): ad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT) domains = ad.get_domains() for d in domains: workgroup = d['nETBIOSName'] print "w: %s" % workgroup ucache = FreeNAS_UserCache(dir=workgroup) if ucache: for key in ucache.keys(): print "u: %s=%s" % (key, ucache[key]) gcache = FreeNAS_GroupCache(dir=workgroup) if gcache: for key in gcache.keys(): print "g: %s=%s" % (key, gcache[key]) ducache = FreeNAS_Directory_UserCache(dir=workgroup) if ducache: for key in ducache.keys(): print "du: %s=%s" % (key, ducache[key]) dgcache = FreeNAS_Directory_GroupCache(dir=workgroup) if dgcache: for key in dgcache.keys(): print "dg: %s=%s" % (key, dgcache[key])
def directoryservice(self, name): """Temporary wrapper to serialize DS connectors""" if name == 'AD': ds = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT) workgroups = [] domains = ds.get_domains() for d in domains: if 'nETBIOSName' in d: netbiosname = d['nETBIOSName'] workgroups.append(netbiosname) ds.workgroups = workgroups elif name == 'LDAP': ds = FreeNAS_LDAP(flags=FLAGS_DBINIT) else: raise ValueError('Unknown ds name {0}'.format(name)) data = {} for i in ('netbiosname', 'keytab_file', 'keytab_principal', 'domainname', 'use_default_domain', 'dchost', 'basedn', 'binddn', 'bindpw', 'userdn', 'groupdn', 'ssl', 'certfile', 'id', 'ad_idmap_backend', 'ds_type', 'krb_realm', 'krbname', 'kpwdname', 'krb_kdc', 'krb_admin_server', 'krb_kpasswd_server', 'workgroups'): if hasattr(ds, i): data[i] = getattr(ds, i) return data
def directoryservice(self, name): """Temporary rapper to serialize DS connectors""" if name == 'AD': ds = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT) workgroups = [] domains = ds.get_domains() for d in domains: if 'nETBIOSName' in d: netbiosname = d['nETBIOSName'] workgroups.append(netbiosname) ds.workgroups = workgroups elif name == 'LDAP': ds = FreeNAS_LDAP(flags=FLAGS_DBINIT) else: raise ValueError('Unknown ds name {0}'.format(name)) data = {} for i in ( 'netbiosname', 'keytab_file', 'keytab_principal', 'domainname', 'use_default_domain', 'dchost', 'basedn', 'binddn', 'bindpw', 'userdn', 'groupdn', 'ssl', 'certfile', 'id', 'ad_idmap_backend', 'ds_type', 'krb_realm', 'krbname', 'kpwdname', 'krb_kdc', 'krb_admin_server', 'krb_kpasswd_server', 'workgroups' ): if hasattr(ds, i): data[i] = getattr(ds, i) return data
def tryConnect(self, host, port): max_tries = 3 connected = False sm_timeout = _fs().middlewared.plugins.service_monitor.socket_timeout host_list = [] if self.name == 'activedirectory': for i in range(0, max_tries): # Make max_tries attempts to get SRV records from DNS host_list = FreeNAS_ActiveDirectory.get_ldap_servers(host) if host_list: break else: self.logger.debug(f'[ServiceMonitorThread] Attempt {i} to query SRV records failed') if not host_list: self.logger.debug(f'[ServiceMonitorThread] Query for SRV records for {host} failed') return False for h in host_list: port_is_listening = FreeNAS_ActiveDirectory.port_is_listening(str(h.target), h.port, errors=[], timeout=sm_timeout) if port_is_listening: return True else: self.logger.debug(f'[ServiceMonitorThread] Cannot connect: {h.target}:{h.port}') connected = False return connected else: self.logger.debug(f'[ServiceMonitorThread] no monitoring has been written for {self.name}') return False
def _cache_keys_ActiveDirectory(**kwargs): ad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT) domains = ad.get_domains() for d in domains: workgroup = d['nETBIOSName'] print "w: %s" % workgroup ucache = FreeNAS_UserCache(dir=workgroup) if ucache: for key in ucache.keys(): print "u key: %s" % key gcache = FreeNAS_GroupCache(dir=workgroup) if gcache: for key in gcache.keys(): print "g key: %s" % key ducache = FreeNAS_Directory_UserCache(dir=workgroup) if ducache: for key in ducache.keys(): print "du key: %s" % key dgcache = FreeNAS_Directory_GroupCache(dir=workgroup) if dgcache: for key in dgcache.keys(): print "dg key: %s" % key
def tryConnect(self, host, port): max_tries = 3 connected = False sm_timeout = _fs().middlewared.plugins.service_monitor.socket_timeout host_list = [] if self.name == 'activedirectory': for i in range(0, max_tries): # Make max_tries attempts to get SRV records from DNS host_list = FreeNAS_ActiveDirectory.get_ldap_servers(host) if host_list: break else: self.logger.debug(f'[ServiceMonitorThread] Attempt {i} to query SRV records failed') if not host_list: self.logger.debug(f'[ServiceMonitorThread] Query for SRV records for {host} failed') return False for h in host_list: port_is_listening = FreeNAS_ActiveDirectory.port_is_listening(str(h.target), h.port, errors=[], timeout=sm_timeout) if port_is_listening: return True else: self.logger.debug(f'[ServiceMonitorThread] Cannot connect: {h.target}:{h.port}') connected = False return connected else: self.logger.debug(f'[ServiceMonitorThread] no monitoring has been written for {self.name}') return False
def _cache_keys_ActiveDirectory(**kwargs): ad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT) domains = ad.get_domains() for d in domains: workgroup = d['nETBIOSName'] print "w: %s" % workgroup ucache = FreeNAS_UserCache(dir=workgroup) if ucache: for key in ucache.keys(): print "u key: %s" % key gcache = FreeNAS_GroupCache(dir=workgroup) if gcache: for key in gcache.keys(): print "g key: %s" % key ducache = FreeNAS_Directory_UserCache(dir=workgroup) if ducache: for key in ducache.keys(): print "du key: %s" % key dgcache = FreeNAS_Directory_GroupCache(dir=workgroup) if dgcache: for key in dgcache.keys(): print "dg key: %s" % key
def _cache_count_ActiveDirectory(**kwargs): ad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT) domains = ad.get_domains() for d in domains: workgroup = d['nETBIOSName'] print "w: %s" % workgroup print "u: %ld" % _cachelen(FreeNAS_UserCache(dir=workgroup)) print "g: %ld" % _cachelen(FreeNAS_GroupCache(dir=workgroup)) print "du: %ld" % _cachelen(FreeNAS_Directory_UserCache(dir=workgroup)) print "dg: %ld" % _cachelen(FreeNAS_Directory_GroupCache(dir=workgroup)) print "\n"
def _cache_count_ActiveDirectory(**kwargs): ad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT) domains = ad.get_domains() for d in domains: workgroup = d['nETBIOSName'] print "w: %s" % workgroup print "u: %ld" % _cachelen(FreeNAS_UserCache(dir=workgroup)) print "g: %ld" % _cachelen(FreeNAS_GroupCache(dir=workgroup)) print "du: %ld" % _cachelen(FreeNAS_Directory_UserCache(dir=workgroup)) print "dg: %ld" % _cachelen( FreeNAS_Directory_GroupCache(dir=workgroup)) print "\n"
def ad_status(self): ret = False try: ret = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT).connected() except: pass return ret
def clean_ad_gcname(self): ad_gcname = self.cleaned_data.get('ad_gcname') ad_gcport = self.get_gcport() if not ad_gcname: return None parts = ad_gcname.split(':') ad_gcname = parts[0] errors = [] try: ret = FreeNAS_ActiveDirectory.port_is_listening( host=ad_gcname, port=ad_gcport, errors=errors ) if ret is False: raise Exception( 'Invalid Host/Port: %s' % errors[0] ) except Exception as e: raise forms.ValidationError('%s.' % e) return self.cleaned_data.get('ad_gcname')
def clean_ad_gcname(self): ad_gcname = self.cleaned_data.get('ad_gcname') ad_gcport = 3268 ad_ssl = self.cleaned_data.get('ad_ssl') if ad_ssl == 'on': ad_gcport = 3269 if not ad_gcname: return None parts = ad_gcname.split(':') ad_gcname = parts[0] if len(parts) > 1 and parts[1].isdigit(): ad_gcport = long(parts[1]) errors = [] try: ret = FreeNAS_ActiveDirectory.port_is_listening(host=ad_gcname, port=ad_gcport, errors=errors) if ret is False: raise Exception('Invalid Host/Port: %s' % errors[0]) except Exception as e: raise forms.ValidationError('%s.' % e) return self.cleaned_data.get('ad_gcname')
class ActiveDirectory(TestObject): def __init__(self, handler=None): super(self.__class__, self).__init__(handler) self._name = "ActiveDirectory" self.freenas_ad = None def Enabled(self): return activedirectory_enabled() def Test(self): try: self.freenas_ad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT) if self.freenas_ad.connected(): return self._handler.Pass("ActiveDirectory") else: return self._handler.Fail("ActiveDirectory", "Unable to login to the Domain Controller.") except LDAPError as e: # LDAPError is dumb, it returns a list with one element for goodness knows what reason e = e[0] error = "" if 'desc' in e: error = e['desc'] if 'info' in e: error = "{0}, {1}".format(error, e['info']) else: # LDAPError may have desc and info or just info so making a case that handles just info if 'info' in e: error = e['info'] else: error = str(e) return self._handler.Fail("ActiveDirectory", error) except Exception as e: return self._handler.Fail("ActiveDirectory", str(e))
def clean_ad_gcname(self): ad_gcname = self.cleaned_data.get('ad_gcname') ad_gcport = 3268 ad_ssl = self.cleaned_data.get('ad_ssl') if ad_ssl == 'on': ad_gcport = 3269 if not ad_gcname: return None parts = ad_gcname.split(':') ad_gcname = parts[0] if len(parts) > 1 and parts[1].isdigit(): ad_gcport = long(parts[1]) errors = [] try: ret = FreeNAS_ActiveDirectory.port_is_listening( host=ad_gcname, port=ad_gcport, errors=errors) if ret is False: raise Exception('Invalid Host/Port: %s' % errors[0]) except Exception as e: raise forms.ValidationError('%s.' % e) return self.cleaned_data.get('ad_gcname')
def Test(self): try: self.freenas_ad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT) if self.freenas_ad.connected(): return self._handler.Pass("ActiveDirectory") else: return self._handler.Fail("ActiveDirectory", "Unable to login to the Domain Controller.") except LDAPError as e: # LDAPError is dumb, it returns a list with one element for goodness knows what reason e = e[0] error = [] desc = e.get('desc') info = e.get('info') if desc: error.append(desc) if info: error.append(info) if error: error = ', '.join(error) else: error = str(e) return self._handler.Fail("ActiveDirectory", error) except Exception as e: return self._handler.Fail("ActiveDirectory", str(e))
def clean(self): cdata = self.cleaned_data site = cdata.get("ad_site") ssl = cdata.get("ad_ssl") certificate = cdata["ad_certificate"] if certificate: certificate = certificate.get_certificate_path() if not cdata.get("ad_bindpw"): cdata['ad_bindpw'] = self.instance.ad_bindpw if not self.instance.ad_kerberos_keytab: bindname = cdata.get("ad_bindname") bindpw = cdata.get("ad_bindpw") domain = cdata.get("ad_domainname") binddn = "%s@%s" % (bindname, domain) errors = [] try: ret = FreeNAS_ActiveDirectory.validate_credentials( domain, site=site, ssl=ssl, certfile=certificate, binddn=binddn, bindpw=bindpw, errors=errors) if ret is False: raise forms.ValidationError("%s." % errors[0]) except FreeNAS_ActiveDirectory_Exception, e: raise forms.ValidationError('%s.' % e)
def save(self, **kwargs): if self.ad_bindpw and not self._ad_bindpw_encrypted: self.ad_bindpw = notifier().pwenc_encrypt(self.ad_bindpw) self._ad_bindpw_encrypted = True super(ActiveDirectory, self).save(**kwargs) if not self.ad_kerberos_realm: from freenasUI.common.freenasldap import (FreeNAS_ActiveDirectory, FLAGS_DBINIT) try: fad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT) kr = KerberosRealm.objects.filter( krb_realm=self.ad_domainname.upper()) if kr: kr = kr[0] else: kr = KerberosRealm() kr.krb_realm = self.ad_domainname.upper() kr.save() self.ad_kerberos_realm = kr super(ActiveDirectory, self).save() except Exception as e: log.debug( "ActiveDirectory: Unable to create kerberos realm: %s", e)
def set_idmap_rfc2307_secret(): try: ad = ActiveDirectory.objects.all()[0] except: return False domain = None idmap = get_idmap_object(ad.ds_type, ad.id, ad.ad_idmap_backend) try: fad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT) domain = fad.netbiosname.upper() except: return False args = ["/usr/local/bin/net", "-d 0", "idmap", "secret"] net_cmd = "%s '%s' '%s'" % (string.join( args, ' '), domain, idmap.idmap_rfc2307_ldap_user_dn_password) p = pipeopen(net_cmd, quiet=True) net_out = p.communicate() if net_out and net_out[0]: for line in net_out[0].split('\n'): if not line: continue print line ret = True if p.returncode != 0: print >> sys.stderr, "Failed to set idmap secret!" ret = False return ret
def clean_ad_gcname(self): ad_gcname = self.cleaned_data.get('ad_gcname') ad_gcport = self.get_gcport() if not ad_gcname: return None parts = ad_gcname.split(':') ad_gcname = parts[0] errors = [] try: ret = FreeNAS_ActiveDirectory.port_is_listening( host=ad_gcname, port=ad_gcport, errors=errors ) if ret is False: raise Exception( 'Invalid Host/Port: %s' % errors[0] ) except Exception as e: raise forms.ValidationError('%s.' % e) return self.cleaned_data.get('ad_gcname')
def add_activedirectory_conf(smb4_conf): try: ad = ActiveDirectory.objects.all()[0] except: return cachedir = "/var/tmp/.cache/.samba" try: os.makedirs(cachedir) os.chmod(cachedir, 0755) except: pass ad_workgroup = None try: fad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT) ad_workgroup = fad.netbiosname.upper() except: return set_netbiosname(smb4_conf, ad.ad_netbiosname) confset2(smb4_conf, "workgroup = %s", ad_workgroup) confset2(smb4_conf, "realm = %s", ad.ad_domainname.upper()) confset1(smb4_conf, "security = ADS") confset1(smb4_conf, "client use spnego = yes") confset2(smb4_conf, "cache directory = %s", cachedir) confset1(smb4_conf, "local master = no") confset1(smb4_conf, "domain master = no") confset1(smb4_conf, "preferred master = no") confset2(smb4_conf, "ads dns update = %s", "yes" if ad.ad_allow_dns_updates else "no") confset1(smb4_conf, "winbind cache time = 7200") confset1(smb4_conf, "winbind offline logon = yes") confset1(smb4_conf, "winbind enum users = yes") confset1(smb4_conf, "winbind enum groups = yes") confset1(smb4_conf, "winbind nested groups = yes") confset2(smb4_conf, "winbind use default domain = %s", "yes" if ad.ad_use_default_domain else "no") confset1(smb4_conf, "winbind refresh tickets = yes") if ad.ad_nss_info: confset2(smb4_conf, "winbind nss info = %s", ad.ad_nss_info) idmap = get_idmap_object(ad.ds_type, ad.id, ad.ad_idmap_backend) configure_idmap_backend(smb4_conf, idmap, ad_workgroup) confset2(smb4_conf, "allow trusted domains = %s", "yes" if ad.ad_allow_trusted_doms else "no") confset2(smb4_conf, "client ldap sasl wrapping = %s", ad.ad_ldap_sasl_wrapping) confset1(smb4_conf, "template shell = /bin/sh") confset2(smb4_conf, "template homedir = %s", "/home/%D/%U" if not ad.ad_use_default_domain else "/home/%U")
def add_activedirectory(sc): activedirectory = ActiveDirectory.objects.all()[0] ad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT) ad_cookie = ad.netbiosname ad_domain = 'domain/%s' % ad_cookie ad_section = None for key in sc.keys(): if key == ad_domain: ad_section = sc[key] break if not ad_section: ad_section = SSSDSectionDomain(ad_domain) ad_section.description = ad_cookie if ad_section.description != ad_cookie: return ad_defaults = [ { 'enumerate': 'true' }, { 'id_provider': 'ldap'}, { 'auth_provider': 'ldap' }, { 'ldap_schema': 'rfc2307bis' }, { 'ldap_user_object_class': 'person' }, { 'ldap_user_name': 'msSFU30Name' }, { 'ldap_user_uid_number': 'uidNumber' }, { 'ldap_user_gid_number': 'gidNumber' }, { 'ldap_user_home_directory': 'homeDirectory' }, { 'ldap_user_shell': 'loginShell' }, { 'ldap_user_principal': 'userPrincipalName' }, { 'ldap_group_object_class': 'group' }, { 'ldap_group_name': 'msSFU30Name' }, { 'ldap_group_gid_number': 'gidNumber' }, { 'ldap_force_upper_case_realm': 'true' }, { 'use_fully_qualified_names': 'true' } ] for d in ad_defaults: key = d.keys()[0] if not key in ad_section: setattr(ad_section, key, d[key]) if activedirectory.ad_use_default_domain: ad_section.use_fully_qualified_names = 'false' # # XXX re-work this to use ad object # ad_section.ldap_uri = "ldap://%s" % ad.dchost ad_section.ldap_search_base = ad.basedn ad_section.ldap_default_bind_dn = ad.binddn ad_section.ldap_default_authtok_type = 'password' ad_section.ldap_default_authtok = ad.bindpw sc[ad_domain] = ad_section sc['sssd'].add_domain(ad_cookie) sc['sssd'].add_newline()
def Test(self): try: self.freenas_ad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT) if self.freenas_ad.connected(): return self._handler.Pass("ActiveDirectory") else: return self._handler.Fail("ActiveDirectory", "Unable to login to the Domain Controller.") except Exception as e: return self._handler.Fail("ActiveDirectory", str(e))
def check_AD(self, host, port): """ Basic health checks to determine whether we can recover the AD service if a disruption occurs. Current tests: - Clockskew from DC is not greater than 5 minutes (MIT default). Kerberos has strict time requirements. This can vary based on the kerberos configuration, and so this may need to be a configurable field. - DC connectivity. We check this by using DNS to get SRV records for LDAP, and then trying to open a socket to the LDAP(S) port on each of the LDAP servers in the list. Future tests: - Validate service account password - Verify presence of computer object in DA """ connected = False permitted_clockskew = datetime.timedelta(minutes=5) sm_timeout = _fs().middlewared.plugins.service_monitor.socket_timeout host_list = FreeNAS_ActiveDirectory.get_ldap_servers(host, self.config['ad_site']) if not host_list: self.alert(self.name, f'{self.name}: {host} not in connectable state. DNS query for SRV records for {host} failed.') self.logger.debug(f'[ServiceMonitorThread] DNS query for SRV records for {host} failed') return False for h in host_list: port_is_listening = FreeNAS_ActiveDirectory.port_is_listening(str(h.target), h.port, errors=[], timeout=sm_timeout) if port_is_listening: clockskew_within_spec = self.validate_time(str(h.target), permitted_clockskew) if not clockskew_within_spec: return False return True else: self.logger.debug(f'[ServiceMonitorThread] Cannot connect: {h.target}:{h.port}') connected = False if not connected: self.alert(self.name, f'{self.name}: Unable to contact domain controller for {host}. Domain not in connectable state.') return connected
def clean(self): cdata = self.cleaned_data domain = cdata.get("ad_domainname") bindname = cdata.get("ad_bindname") binddn = "%s@%s" % (bindname, domain) bindpw = cdata.get("ad_bindpw") site = cdata.get("ad_site") netbiosname = cdata.get("ad_netbiosname_a") netbiosname_b = cdata.get("ad_netbiosname_b") ssl = cdata.get("ad_ssl") certificate = cdata["ad_certificate"] ad_kerberos_principal = cdata["ad_kerberos_principal"] workgroup = None if certificate: certificate = certificate.get_certificate_path() args = { 'domain': domain, 'site': site, 'ssl': ssl, 'certfile': certificate } if not cdata.get("ad_bindpw"): bindpw = self.instance.ad_bindpw cdata['ad_bindpw'] = bindpw if not ad_kerberos_principal: if not bindname: raise forms.ValidationError("No domain account name specified") if not bindpw: raise forms.ValidationError( "No domain account password specified") errors = [] try: ret = FreeNAS_ActiveDirectory.validate_credentials( domain, site=site, ssl=ssl, certfile=certificate, binddn=binddn, bindpw=bindpw, errors=errors) if ret is False: raise forms.ValidationError("%s." % errors[0]) except FreeNAS_ActiveDirectory_Exception, e: raise forms.ValidationError('%s.' % e) args['binddn'] = binddn args['bindpw'] = bindpw
def clean(self): cdata = self.cleaned_data domain = cdata.get("ad_domainname") bindname = cdata.get("ad_bindname") bindpw = cdata.get("ad_bindpw") site = cdata.get("ad_site") netbiosname = cdata.get("ad_netbiosname") netbiosname_b = cdata.get("ad_netbiosname_b") ssl = cdata.get("ad_ssl") certificate = cdata["ad_certificate"] ad_kerberos_principal = cdata["ad_kerberos_principal"] workgroup = None if certificate: certificate = certificate.get_certificate_path() args = { 'domain': domain, 'site': site, 'ssl': ssl, 'certfile': certificate } if not ad_kerberos_principal: if not cdata.get("ad_bindpw"): cdata['ad_bindpw'] = self.instance.ad_bindpw if not bindname: raise forms.ValidationError("No domain account name specified") if not bindpw: raise forms.ValidationError( "No domain account password specified") binddn = "%s@%s" % (bindname, domain) errors = [] try: ret = FreeNAS_ActiveDirectory.validate_credentials( domain, site=site, ssl=ssl, certfile=certificate, binddn=binddn, bindpw=bindpw, errors=errors) if ret is False: raise forms.ValidationError("%s." % errors[0]) except FreeNAS_ActiveDirectory_Exception, e: raise forms.ValidationError('%s.' % e) args['binddn'] = binddn args['bindpw'] = bindpw
class ActiveDirectory(TestObject): def __init__(self, handler=None): super(self.__class__, self).__init__(handler) self._name = "ActiveDirectory" self.freenas_ad = None def Enabled(self): return activedirectory_enabled() def Test(self): try: self.freenas_ad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT) if self.freenas_ad.connected(): return self._handler.Pass("ActiveDirectory") else: return self._handler.Fail("ActiveDirectory", "Unable to login to the Domain Controller.") except Exception as e: return self._handler.Fail("ActiveDirectory", str(e))
def clean(self): cdata = self.cleaned_data if not cdata.get("ad_bindpw"): cdata['ad_bindpw'] = self.instance.ad_bindpw if self.instance.ad_use_keytab is False: bindname = cdata.get("ad_bindname") bindpw = cdata.get("ad_bindpw") domain = cdata.get("ad_domainname") binddn = "%s@%s" % (bindname, domain) errors = [] try: ret = FreeNAS_ActiveDirectory.validate_credentials( domain, binddn=binddn, bindpw=bindpw, errors=errors) if ret is False: raise forms.ValidationError("%s." % errors[0]) except FreeNAS_ActiveDirectory_Exception, e: raise forms.ValidationError('%s.' % e)
def clean(self): cdata = self.cleaned_data if not cdata.get("ad_bindpw"): cdata['ad_bindpw'] = self.instance.ad_bindpw if self.instance.ad_use_keytab is False: bindname = cdata.get("ad_bindname") bindpw = cdata.get("ad_bindpw") domain = cdata.get("ad_domainname") binddn = "%s@%s" % (bindname, domain) errors = [] ret = FreeNAS_ActiveDirectory.validate_credentials( domain, binddn=binddn, bindpw=bindpw, errors=errors ) if ret is False: raise forms.ValidationError("%s." % errors[0]) return cdata
def clean(self): cdata = self.cleaned_data if not cdata.get("ad_bindpw"): cdata['ad_bindpw'] = self.instance.ad_bindpw if not self.instance.ad_kerberos_keytab: bindname = cdata.get("ad_bindname") bindpw = cdata.get("ad_bindpw") domain = cdata.get("ad_domainname") binddn = "%s@%s" % (bindname, domain) errors = [] try: ret = FreeNAS_ActiveDirectory.validate_credentials( domain, binddn=binddn, bindpw=bindpw, errors=errors ) if ret is False: raise forms.ValidationError("%s." % errors[0]) except FreeNAS_ActiveDirectory_Exception, e: raise forms.ValidationError('%s.' % e)
def clean(self): cdata = self.cleaned_data if not cdata.get("ad_bindpw"): cdata['ad_bindpw'] = self.instance.ad_bindpw if self.instance.ad_use_keytab == False: bindname = cdata.get("ad_bindname") bindpw = cdata.get("ad_bindpw") domain = cdata.get("ad_domainname") binddn = "%s@%s" % (bindname, domain) ret = FreeNAS_ActiveDirectory.validate_credentials( domain, binddn=binddn, bindpw=bindpw ) if ret == False: raise forms.ValidationError( _("Incorrect password.") ) return cdata
def forwards(self, orm): try: from freenasUI.common.freenasldap import (FreeNAS_ActiveDirectory, FLAGS_DBINIT) ad = orm.ActiveDirectory.objects.all()[0] fad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT) kr = orm.KerberosRealm() kr.krb_realm = ad.ad_domainname.upper() if ad.ad_krbname: kr.krb_kdc = ad.ad_krbname else: kr.krb_kdc = fad.krbname kr.krb_admin_server = kr.krb_kdc if ad.ad_kpwdname: kr.krb_kpasswd_server = ad.ad_kpwdname else: kr.krb_kpasswd_server = fad.kpwdname kr.save() ad.ad_kerberos_realm = kr ad.save() if ad.ad_keytab: kt = orm.KerberosKeytab() kt.keytab_principal = "host/%s" % ad.ad_domainname kt.keytab_file = "/data/%s.keytab" % re.sub( '[^a-zA-Z0-9]+', '_', kt.keytab_principal) kt.save() os.rename(ad.ad_keytab, kt.keytab_file) os.chmod(kt.keytab_file, 0o400) ad.ad_kerberos_keytab = kt ad.save() except Exception as e: print("ERROR: %s" % e, file=sys.stderr)
def ldap_conf_activedirectory(ldap_conf): ad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT) config = {} config["URI"] = "%s://%s" % ("ldaps" if ad.ssl == "on" else "ldap", ad.domainname) config["BASE"] = ad.basedn if ad.ssl in ("start_tls", "on"): if ad.certfile: config["TLS_CACERT"] = ad.certfile config["TLS_REQCERT"] = "allow" # # So what if the AD server is configured to use SSL or TLS, # and the idmap backend is as well? WTF? whaddoyoudo? # ad = models.ActiveDirectory.objects.all()[0] if ad.ad_idmap_backend in ("rfc2307", "ldap"): idmap = get_idmap_object(ad.ds_type, ad.id, ad.ad_idmap_backend) idmap_url = idmap.get_url() idmap_url = re.sub('^(ldaps?://)', '', idmap_url) config["URI"] = "%s://%s" % ("ldaps" if idmap.get_ssl() == "on" else "ldap", idmap_url) if idmap.get_ssl() in ('start_tls', 'on'): capath = get_certificateauthority_path(idmap.get_certificate()) if capath: config["TLS_CACERT"] = capath config["TLS_REQCERT"] = "allow" keys = ["URI", "BASE", "TLS_CACERT", "TLS_REQCERT"] with open(ldap_conf, "w") as f: for key in keys: if key in config: f.write("%s %s\n" % (key, config[key])) f.close() os.chmod(ldap_conf, 0644)
def save(self, **kwargs): super(ActiveDirectory, self).save(**kwargs) if not self.ad_kerberos_realm: from freenasUI.common.freenasldap import (FreeNAS_ActiveDirectory, FLAGS_DBINIT) try: fad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT) kr = KerberosRealm() kr.krb_realm = self.ad_domainname.upper() kr.krb_kdc = fad.krbname kr.krb_admin_server = kr.krb_kdc kr.krb_kpasswd_server = fad.kpwdname kr.save() self.ad_kerberos_realm = kr super(ActiveDirectory, self).save() except Exception as e: log.debug( "ActiveDirectory: Unable to create kerberos realm: %s", e)
bindpw=bindpw, errors=errors) if ret is False: raise forms.ValidationError("%s." % errors[0]) except FreeNAS_ActiveDirectory_Exception, e: raise forms.ValidationError('%s.' % e) args['binddn'] = binddn args['bindpw'] = bindpw else: args['keytab_principal'] = ad_kerberos_principal.principal_name args['keytab_file'] = '/etc/krb5.keytab' try: workgroup = FreeNAS_ActiveDirectory.get_workgroup_name(**args) except Exception as e: raise forms.ValidationError(e) if workgroup: if compare_netbios_names(netbiosname, workgroup, None): raise forms.ValidationError( _("The NetBIOS name cannot be the same as the workgroup name!" )) if netbiosname_b: if compare_netbios_names(netbiosname_b, workgroup, None): raise forms.ValidationError( _("The NetBIOS name cannot be the same as the workgroup " "name!")) else:
def main(): realms = KerberosRealm.objects.all() try: settings = KerberosSettings.objects.all()[0] except: settings = None kc = KerberosConfig(settings=settings) kc.create_default_config() ad = ldap = None ldap_objects = LDAP.objects.all() if ldap_objects and ldap_objects[0].ldap_enable: ldap = FreeNAS_LDAP(flags=FLAGS_DBINIT) ad_objects = ActiveDirectory.objects.all() if ad_objects and ad_objects[0].ad_enable: ad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT) for kr in realms: if not kr.krb_realm: continue krb_kdc, krb_admin_server, krb_kpasswd_server = get_kerberos_servers( kr, ad, ldap) bc = KerberosConfigBindingCollection(name=kr.krb_realm) if krb_kdc: bc.append(KerberosConfigBinding(name="kdc", value=krb_kdc)) if krb_admin_server: bc.append( KerberosConfigBinding(name="admin_server", value=krb_admin_server)) if krb_kpasswd_server: bc.append( KerberosConfigBinding(name="kpasswd_server", value=krb_kpasswd_server)) bc.append( KerberosConfigBinding(name="default_domain", value=kr.krb_realm)) kc.add_bindings(['realms'], bc) bc = KerberosConfigBindingCollection() bc.append( KerberosConfigBinding(name=kr.krb_realm.lower(), value=kr.krb_realm.upper())) bc.append( KerberosConfigBinding(name=".%s" % kr.krb_realm.lower(), value=kr.krb_realm.upper())) bc.append( KerberosConfigBinding(name=kr.krb_realm.upper(), value=kr.krb_realm.upper())) bc.append( KerberosConfigBinding(name=".%s" % kr.krb_realm.upper(), value=kr.krb_realm.upper())) kc.add_bindings(['domain_realm'], bc) fp = open("/etc/krb5.conf", "w+") kc.generate_krb5_conf(stdout=fp) fp.close()
def start(): db = get_db_values() if db['cifs']['cifs_srv_netbiosname'] == db['cifs'][ 'cifs_srv_netbiosname_b']: ''' Logic for checking if we've configured samba to only run on the active storage controller ''' if not Client().call('notifier.failover_status') == "MASTER": return False if not db['ad']['ad_enable']: Client().call('datastore.update', 'directoryservice.ActiveDirectory', db['ad']['id'], {'ad_enable': 'True'}) if not db['cifs_srv']['srv_enable']: Client().call('datastore.update', 'services.services', db['cifs_srv']['id'], {'srv_enable': 'True'}) favored_dc = None dcs = FNAD.get_domain_controllers(db['ad']['ad_domainname'], site=db['ad']['ad_site'], ssl=db['ad']['ad_ssl']) ''' For performing domain join / AD start, we minimize the amount of complex operations that we're performing. This avoiding an extra LDAP bind here if possible. ''' if len(dcs) <= 1: favored_dc = FNAD.get_best_host(dcs) print(f'favored dc is {favored_dc}') else: ''' locate_site() requires an LDAP connection ''' fn = FNAD(flags=FLAGS_DBINIT) print("locating site") site = fn.locate_site() dcs = fn.get_domain_controllers(db['ad']['ad_domainname'], site, ssl=db['ad']['ad_ssl']) if len(dcs) <= 5: favored_dc = FNAD.get_best_host(dcs) service_launcher("ix-hostname", "quietstart") try: krb_realm = (db['ad']['ad_kerberos_realm']['krb_realm']) except: krb_realm = (db['ad']['ad_domainname']) service_launcher("ix-kerberos", command=f'quietstart default {krb_realm}') Client().call('etc.generate', 'nss') if db['ldap']['ldap_enable']: print('generating ldap_conf') Client().call('etc.generate', 'ldap') if not service_launcher("ix-kinit", "status"): if not service_launcher("ix-kinit", "quietstart"): print("ix-kinit failed") if db['ad']['ad_unix_extensions']: service_launcher("ix-sssd", "start") if service_launcher("sssd", "status"): service_launcher("sssd", "restart") else: service_launcher("sssd", "start") service_launcher("ix-pre-samba", "start") if not netads(db, "testjoin", bind_dc=favored_dc): print('preparing to join domain') netads(db, "join", bind_dc=favored_dc) service_launcher("samba_server", "restart") Client().call('etc.generate', 'pam') service_launcher("ix-cache", "quietstart")
def _cache_check_ActiveDirectory(**kwargs): if not kwargs.has_key('args') and kwargs['args']: return valid = {} ad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT) domains = ad.get_domains() for d in domains: workgroup = d['nETBIOSName'] valid[workgroup] = True for arg in kwargs['args']: key = val = None if arg.startswith("u="): key = "u" val = arg.partition("u=")[2] elif arg.startswith("g="): key = "g" val = arg.partition("g=")[2] elif arg.startswith("du="): key = "du" val = arg.partition("du=")[2] elif arg.startswith("dg="): key = "dg" val = arg.partition("dg=")[2] else: continue if key in ('u', 'g'): parts = val.split('\\') if len(parts) < 2: continue workgroup = parts[0] if not valid.has_key(workgroup): continue ucache = FreeNAS_UserCache(dir=workgroup) gcache = FreeNAS_GroupCache(dir=workgroup) ducache = FreeNAS_Directory_UserCache(dir=workgroup) dgcache = FreeNAS_Directory_GroupCache(dir=workgroup) if key == 'u': if ucache and ucache.has_key(val) and ucache[val]: print "%s: %s" % (val, ucache[val]) elif key == 'g': if gcache and gcache.has_key(val) and gcache[val]: print "%s: %s" % (val, gcache[val]) elif key in ('du', 'dg'): for workgroup in valid.keys(): ucache = FreeNAS_UserCache(dir=workgroup) gcache = FreeNAS_GroupCache(dir=workgroup) ducache = FreeNAS_Directory_UserCache(dir=workgroup) dgcache = FreeNAS_Directory_GroupCache(dir=workgroup) if key == 'du': if ducache and ducache.has_key(val) and ducache[val]: print "%s: %s" % (val, ducache[val]) elif key == 'dg': if dgcache and dgache.has_key(val) and dgcache[val]: print "%s: %s" % (val, dgcache[val])
def _cache_check_ActiveDirectory(**kwargs): if 'args' not in kwargs and kwargs['args']: return valid = {} ad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT) domains = ad.get_domains() for d in domains: workgroup = d['nETBIOSName'] valid[workgroup] = True for arg in kwargs['args']: key = val = None if arg.startswith("u="): key = "u" val = arg.partition("u=")[2] elif arg.startswith("g="): key = "g" val = arg.partition("g=")[2] elif arg.startswith("du="): key = "du" val = arg.partition("du=")[2] elif arg.startswith("dg="): key = "dg" val = arg.partition("dg=")[2] else: continue if key in ('u', 'g'): parts = val.split('\\') if len(parts) < 2: continue workgroup = parts[0] if workgroup not in valid: continue ucache = FreeNAS_UserCache(dir=workgroup) gcache = FreeNAS_GroupCache(dir=workgroup) ducache = FreeNAS_Directory_UserCache(dir=workgroup) dgcache = FreeNAS_Directory_GroupCache(dir=workgroup) if key == 'u': if ucache and val in ucache and ucache[val]: print "%s: %s" % (val, ucache[val]) elif key == 'g': if gcache and val in gcache and gcache[val]: print "%s: %s" % (val, gcache[val]) elif key in ('du', 'dg'): for workgroup in valid.keys(): ucache = FreeNAS_UserCache(dir=workgroup) gcache = FreeNAS_GroupCache(dir=workgroup) ducache = FreeNAS_Directory_UserCache(dir=workgroup) dgcache = FreeNAS_Directory_GroupCache(dir=workgroup) if key == 'du': if ducache and val in ducache and ducache[val]: print "%s: %s" % (val, ducache[val]) elif key == 'dg': if dgcache and val in dgcache and dgcache[val]: print "%s: %s" % (val, dgcache[val])
def add_activedirectory(sc): activedirectory = ActiveDirectory.objects.all()[0] ad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT) use_ad_provider = False ad_cookie = ad.netbiosname ad_domain = 'domain/%s' % ad_cookie ad_section = None for key in sc.keys(): if key == ad_domain: ad_section = sc[key] break if not ad_section: ad_section = SSSDSectionDomain(ad_domain) ad_section.description = ad_cookie if ad_section.description != ad_cookie: return ad_defaults = [{ 'enumerate': 'true' }, { 'id_provider': 'ldap' }, { 'auth_provider': 'ldap' }, { 'access_provider': 'ldap' }, { 'chpass_provider': 'ldap' }, { 'ldap_schema': 'rfc2307bis' }, { 'ldap_user_object_class': 'person' }, { 'ldap_user_name': 'msSFU30Name' }, { 'ldap_user_uid_number': 'uidNumber' }, { 'ldap_user_gid_number': 'gidNumber' }, { 'ldap_user_home_directory': 'unixHomeDirectory' }, { 'ldap_user_shell': 'loginShell' }, { 'ldap_user_principal': 'userPrincipalName' }, { 'ldap_group_object_class': 'group' }, { 'ldap_group_name': 'msSFU30Name' }, { 'ldap_group_gid_number': 'gidNumber' }, { 'ldap_force_upper_case_realm': 'true' }, { 'use_fully_qualified_names': 'true' }] __, hostname, __ = os.uname()[0:3] if ad.keytab_name and ad.kerberos_realm and os.path.exists(ad.keytab_file): use_ad_provider = True if use_ad_provider: for d in ad_defaults: key = d.keys()[0] if key.startswith("ldap_") and key in d: del d[key] elif key.endswith("_provider"): d[key] = 'ad' ad_section.ad_hostname = hostname ad_section.ad_domain = ad.domainname ad_section.ldap_id_mapping = False for d in ad_defaults: if not d: continue key = d.keys()[0] if not key in ad_section: setattr(ad_section, key, d[key]) if activedirectory.ad_use_default_domain: ad_section.use_fully_qualified_names = 'false' try: shares = CIFS_Share.objects.all() for share in shares: if share.cifs_home and share.cifs_path: if ad.use_default_domain: homedir_path = "%s/%%u" % share.cifs_path else: homedir_path = "%s/%%d/%%u" % share.cifs_path ad_section.override_homedir = homedir_path except Exception as e: pass if use_ad_provider: pass # ad_section.auth_provider = 'krb5' # ad_section.chpass_provider = 'krb5' # ad_section.ldap_sasl_mech = 'GSSAPI' # ad_section.ldap_sasl_authid = ad.keytab_principal # ad_section.krb5_server = ad.krb_kdc # ad_section.krb5_realm = ad.krb_realm # ad_section.krb5_canonicalize = 'false' else: ad_section.ldap_uri = "ldap://%s" % ad.dchost ad_section.ldap_search_base = ad.basedn ad_section.ldap_default_bind_dn = ad.binddn ad_section.ldap_default_authtok_type = 'password' ad_section.ldap_default_authtok = ad.bindpw sc[ad_domain] = ad_section sc['sssd'].add_domain(ad_cookie) sc['sssd'].add_newline()
def clean(self): cdata = self.cleaned_data domain = cdata.get("ad_domainname") bindname = cdata.get("ad_bindname") binddn = "%s@%s" % (bindname, domain) bindpw = cdata.get("ad_bindpw") site = cdata.get("ad_site") netbiosname = cdata.get("ad_netbiosname_a") netbiosname_b = cdata.get("ad_netbiosname_b") ssl = cdata.get("ad_ssl") certificate = cdata["ad_certificate"] ad_kerberos_principal = cdata["ad_kerberos_principal"] workgroup = None if certificate: certificate = certificate.get_certificate_path() args = { 'domain': domain, 'site': site, 'ssl': ssl, 'certfile': certificate } if not cdata.get("ad_bindpw"): bindpw = self.instance.ad_bindpw cdata['ad_bindpw'] = bindpw if cdata.get("ad_enable") is False: return cdata if not ad_kerberos_principal: if not bindname: raise forms.ValidationError("No domain account name specified") if not bindpw: raise forms.ValidationError( "No domain account password specified") try: FreeNAS_ActiveDirectory.validate_credentials( domain, site=site, ssl=ssl, certfile=certificate, binddn=binddn, bindpw=bindpw) except LDAPError as e: # LDAPError is dumb, it returns a list with one element for goodness knows what reason e = e[0] error = [] desc = e.get('desc') info = e.get('info') if desc: error.append(desc) if info: error.append(info) if error: error = ', '.join(error) else: error = str(e) raise forms.ValidationError("{0}".format(error)) except Exception as e: raise forms.ValidationError('{0}.'.format(str(e))) args['binddn'] = binddn args['bindpw'] = bindpw else: args['keytab_principal'] = ad_kerberos_principal.principal_name args['keytab_file'] = '/etc/krb5.keytab' try: workgroup = FreeNAS_ActiveDirectory.get_workgroup_name(**args) except Exception as e: raise forms.ValidationError(e) if workgroup: if compare_netbios_names(netbiosname, workgroup, None): raise forms.ValidationError( _("The NetBIOS name cannot be the same as the workgroup name!" )) if netbiosname_b: if compare_netbios_names(netbiosname_b, workgroup, None): raise forms.ValidationError( _("The NetBIOS name cannot be the same as the workgroup " "name!")) else: log.warn("Unable to determine workgroup name") if ssl in ("off", None): return cdata if not certificate: raise forms.ValidationError( "SSL/TLS specified without certificate") return cdata
def clean(self): cdata = self.cleaned_data domain = cdata.get("ad_domainname") bindname = cdata.get("ad_bindname") binddn = "%s@%s" % (bindname, domain) bindpw = cdata.get("ad_bindpw") site = cdata.get("ad_site") netbiosname = cdata.get("ad_netbiosname_a") netbiosname_b = cdata.get("ad_netbiosname_b") ssl = cdata.get("ad_ssl") certificate = cdata["ad_certificate"] ad_kerberos_principal = cdata["ad_kerberos_principal"] workgroup = None if certificate: certificate = certificate.get_certificate_path() args = { 'domain': domain, 'site': site, 'ssl': ssl, 'certfile': certificate } if not cdata.get("ad_bindpw"): bindpw = self.instance.ad_bindpw cdata['ad_bindpw'] = bindpw if cdata.get("ad_enable") is False: return cdata if not ad_kerberos_principal: if not bindname: raise forms.ValidationError("No domain account name specified") if not bindpw: raise forms.ValidationError("No domain account password specified") try: FreeNAS_ActiveDirectory.validate_credentials( domain, site=site, ssl=ssl, certfile=certificate, binddn=binddn, bindpw=bindpw ) except LDAPError as e: # LDAPError is dumb, it returns a list with one element for goodness knows what reason e = e[0] error = [] desc = e.get('desc') info = e.get('info') if desc: error.append(desc) if info: error.append(info) if error: error = ', '.join(error) else: error = str(e) raise forms.ValidationError("{0}".format(error)) except Exception as e: raise forms.ValidationError('{0}.'.format(str(e))) args['binddn'] = binddn args['bindpw'] = bindpw else: args['keytab_principal'] = ad_kerberos_principal.principal_name args['keytab_file'] = '/etc/krb5.keytab' try: workgroup = FreeNAS_ActiveDirectory.get_workgroup_name(**args) except Exception as e: raise forms.ValidationError(e) if workgroup: if compare_netbios_names(netbiosname, workgroup, None): raise forms.ValidationError(_( "The NetBIOS name cannot be the same as the workgroup name!" )) if netbiosname_b: if compare_netbios_names(netbiosname_b, workgroup, None): raise forms.ValidationError(_( "The NetBIOS name cannot be the same as the workgroup " "name!" )) else: log.warn("Unable to determine workgroup name") if ssl in ("off", None): return cdata if not certificate: raise forms.ValidationError( "SSL/TLS specified without certificate") return cdata
binddn=binddn, bindpw=bindpw, errors=errors) if ret is False: raise forms.ValidationError("%s." % errors[0]) except FreeNAS_ActiveDirectory_Exception, e: raise forms.ValidationError('%s.' % e) args['binddn'] = binddn args['bindpw'] = bindpw else: args['keytab_principal'] = ad_kerberos_principal.principal_name args['keytab_file'] = '/etc/krb5.keytab' workgroup = FreeNAS_ActiveDirectory.get_workgroup_name(**args) if workgroup: if compare_netbios_names(netbiosname, workgroup, None): raise forms.ValidationError( _("The NetBIOS name cannot be the same as the workgroup name!" )) if netbiosname_b: if compare_netbios_names(netbiosname_b, workgroup, None): raise forms.ValidationError( _("The NetBIOS name cannot be the same as the workgroup " "name!")) else: log.warn("Unable to determine workgroup name") if ssl in ("off", None):
def clean(self): cdata = self.cleaned_data domain = cdata.get("ad_domainname") bindname = cdata.get("ad_bindname") binddn = "%s@%s" % (bindname, domain) bindpw = cdata.get("ad_bindpw") site = cdata.get("ad_site") netbiosname = cdata.get("ad_netbiosname_a") netbiosname_b = cdata.get("ad_netbiosname_b") ssl = cdata.get("ad_ssl") certificate = cdata["ad_certificate"] ad_kerberos_principal = cdata["ad_kerberos_principal"] workgroup = None if certificate: with client as c: certificate = c.call('certificateauthority.query', [['id', '=', certificate.id]], {'get': True}) certificate = certificate['certificate_path'] args = { 'domain': domain, 'site': site, 'ssl': ssl, 'certfile': certificate } if not cdata.get("ad_bindpw"): bindpw = self.instance.ad_bindpw cdata['ad_bindpw'] = bindpw if cdata.get("ad_enable") is False: return cdata if not ad_kerberos_principal: if not bindname: raise forms.ValidationError("No domain account name specified") if not bindpw: raise forms.ValidationError( "No domain account password specified") try: FreeNAS_ActiveDirectory.validate_credentials( domain, site=site, ssl=ssl, certfile=certificate, binddn=binddn, bindpw=bindpw) except LDAPError as e: log.debug("LDAPError: type = %s", type(e)) error = [] try: error.append(e.args[0]['info']) error.append(e.args[0]['desc']) error = ', '.join(error) except Exception as e: error = str(e) raise forms.ValidationError("{0}".format(error)) except Exception as e: log.debug("Exception: type = %s", type(e)) raise forms.ValidationError('{0}.'.format(str(e))) args['binddn'] = binddn args['bindpw'] = bindpw else: args['keytab_principal'] = ad_kerberos_principal.principal_name args['keytab_file'] = '/etc/krb5.keytab' try: workgroup = FreeNAS_ActiveDirectory.get_workgroup_name(**args) except Exception as e: raise forms.ValidationError(e) if workgroup: if compare_netbios_names(netbiosname, workgroup, None): raise forms.ValidationError( _("The NetBIOS name cannot be the same as the workgroup name!" )) if netbiosname_b: if compare_netbios_names(netbiosname_b, workgroup, None): raise forms.ValidationError( _("The NetBIOS name cannot be the same as the workgroup " "name!")) else: log.warn("Unable to determine workgroup name") if ssl in ("off", None): return cdata if not certificate: raise forms.ValidationError( "SSL/TLS specified without certificate") return cdata
def main(): """Use the django ORM to generate a config file. We'll build the config file as a series of lines, and once that is done write it out in one go""" map_acls_mode = False afp_config = "/usr/local/etc/afp.conf" cf_contents = [] afp = AFP.objects.order_by('-id')[0] cf_contents.append("[Global]\n") uam_list = ['uams_dhx.so', 'uams_dhx2.so'] if afp.afp_srv_guest: uam_list.append('uams_guest.so') cf_contents.append('\tguest account = %s\n' % afp.afp_srv_guest_user) # uams_gss.so bails out with an error if kerberos isn't configured if KerberosKeytab.objects.count() > 0: uam_list.append('uams_gss.so') cf_contents.append('\tuam list = %s\n' % (" ").join(uam_list)) if afp.afp_srv_bindip: cf_contents.append("\tafp listen = %s\n" % ' '.join(afp.afp_srv_bindip)) cf_contents.append("\tmax connections = %s\n" % afp.afp_srv_connections_limit) cf_contents.append("\tmimic model = RackMac\n") if afp.afp_srv_dbpath: cf_contents.append("\tvol dbnest = no\n") cf_contents.append("\tvol dbpath = %s\n" % afp.afp_srv_dbpath) else: cf_contents.append("\tvol dbnest = yes\n") if afp.afp_srv_global_aux: cf_contents.append("\t%s" % afp.afp_srv_global_aux.encode('utf8')) if afp.afp_srv_map_acls: cf_contents.append("\tmap acls = %s\n" % afp.afp_srv_map_acls) if afp.afp_srv_map_acls == 'mode' and activedirectory_enabled(): map_acls_mode = True if map_acls_mode: ad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT) cf_contents.append("\tldap auth method = %s\n" % "simple") cf_contents.append("\tldap auth dn = %s\n" % ad.binddn) cf_contents.append("\tldap auth pw = %s\n" % ad.bindpw) cf_contents.append("\tldap server = %s\n" % ad.domainname) cf_contents.append("\tldap userbase = %s\n" % ad.userdn) cf_contents.append("\tldap userscope = %s\n" % "sub") cf_contents.append("\tldap groupbase = %s\n" % ad.groupdn) cf_contents.append("\tldap groupscope = %s\n" % "sub") cf_contents.append("\tldap user filter = %s\n" % "objectclass=user") cf_contents.append("\tldap group filter = %s\n" % "objectclass=group") cf_contents.append("\tldap uuid attr = %s\n" % "objectGUID") cf_contents.append("\tldap uuid encoding = %s\n" % "ms-guid") cf_contents.append("\tldap name attr = %s\n" % "sAMAccountName") cf_contents.append("\tldap group attr = %s\n" % "sAMAccountName") cf_contents.append("\n") if afp.afp_srv_homedir_enable: cf_contents.append("[Homes]\n") cf_contents.append("\tbasedir regex = %s\n" % afp.afp_srv_homedir) if afp.afp_srv_homename: cf_contents.append("\thome name = %s\n" % afp.afp_srv_homename) cf_contents.append("\n") for share in AFP_Share.objects.all(): cf_contents.append("[%s]\n" % share.afp_name) cf_contents.append("\tpath = %s\n" % share.afp_path) if share.afp_allow: cf_contents.append("\tvalid users = %s\n" % share.afp_allow) if share.afp_deny: cf_contents.append("\tinvalid users = %s\n" % share.afp_deny) if share.afp_hostsallow: cf_contents.append("\thosts allow = %s\n" % share.afp_hostsallow) if share.afp_hostsdeny: cf_contents.append("\thosts deny = %s\n" % share.afp_hostsdeny) if share.afp_ro: cf_contents.append("\trolist = %s\n" % share.afp_ro) if share.afp_rw: cf_contents.append("\trwlist = %s\n" % share.afp_rw) if share.afp_timemachine: cf_contents.append("\ttime machine = yes\n") if not share.afp_nodev: cf_contents.append("\tcnid dev = no\n") if share.afp_nostat: cf_contents.append("\tstat vol = no\n") if not share.afp_upriv: cf_contents.append("\tunix priv = no\n") else: if share.afp_fperm and not map_acls_mode: cf_contents.append("\tfile perm = %s\n" % share.afp_fperm) if share.afp_dperm and not map_acls_mode: cf_contents.append("\tdirectory perm = %s\n" % share.afp_dperm) if share.afp_umask and not map_acls_mode: cf_contents.append("\tumask = %s\n" % share.afp_umask) cf_contents.append("\tveto files = .windows/.mac/\n") if map_acls_mode: cf_contents.append("\tacls = yes\n") with open(afp_config, "w") as fh: for line in cf_contents: fh.write(line)
def add_activedirectory_conf(smb4_conf): rid_range_start = 20000 rid_range_end = 20000000 ad_range_start = 10000 ad_range_end = 90000000 try: ad = ActiveDirectory.objects.all()[0] except: return cachedir = "/var/tmp/.cache/.samba" try: os.makedirs(cachedir) except: pass ad_workgroup = None try: fad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT) ad_workgroup = fad.netbiosname.upper() except: return confset2(smb4_conf, "netbios name = %s", ad.ad_netbiosname.upper()) confset2(smb4_conf, "workgroup = %s", ad_workgroup) confset2(smb4_conf, "realm = %s", ad.ad_domainname.upper()) confset1(smb4_conf, "security = ADS") confset1(smb4_conf, "client use spnego = yes") confset2(smb4_conf, "cache directory = %s", cachedir) confset1(smb4_conf, "local master = no") confset1(smb4_conf, "domain master = no") confset1(smb4_conf, "preferred master = no") confset1(smb4_conf, "acl check permissions = true") confset1(smb4_conf, "acl map full control = true") confset1(smb4_conf, "dos filemode = yes") confset1(smb4_conf, "winbind cache time = 7200") confset1(smb4_conf, "winbind offline logon = yes") confset1(smb4_conf, "winbind enum users = yes") confset1(smb4_conf, "winbind enum groups = yes") confset1(smb4_conf, "winbind nested groups = yes") confset2(smb4_conf, "winbind use default domain = %s", "yes" if ad.ad_use_default_domain else "no") confset1(smb4_conf, "winbind refresh tickets = yes") if ad.ad_unix_extensions: confset1(smb4_conf, "winbind nss info = rfc2307") idmap = get_idmap_object(ad.ds_type, ad.id, ad.ad_idmap_backend) configure_idmap_backend(smb4_conf, idmap, ad_workgroup) confset2(smb4_conf, "allow trusted domains = %s", "yes" if ad.ad_allow_trusted_doms else "no") confset1(smb4_conf, "template shell = /bin/sh") confset2(smb4_conf, "template homedir = %s", "/home/%D/%U" if not ad.ad_use_default_domain else "/home/%U")