def test_case_insensitive(ldap_conn, simple_ad):
# resolve group and also member of this group
group = 'Domain Users'
group_id = grp.getgrnam(group).gr_gid
group_sid = 'S-1-5-21-1305200397-2901131868-73388776-513'
output = pysss_nss_idmap.getsidbyname(group)[group]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.SID_KEY] == group_sid
output = pysss_nss_idmap.getsidbyid(group_id)[group_id]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.SID_KEY] == group_sid
output = pysss_nss_idmap.getsidbygid(group_id)[group_id]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.SID_KEY] == group_sid
output = pysss_nss_idmap.getsidbyuid(group_id)
assert len(output) == 0
output = pysss_nss_idmap.getidbysid(group_sid)[group_sid]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.ID_KEY] == group_id
output = pysss_nss_idmap.getnamebysid(group_sid)[group_sid]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.NAME_KEY] == group.lower()
def test_ignore_unreadable_references(ldap_conn, simple_ad_ignore_unrdbl_refs):
group = 'group3_dom1-17775'
group_id = grp.getgrnam(group).gr_gid
group_sid = 'S-1-5-21-1305200397-2901131868-73388776-82764'
output = pysss_nss_idmap.getsidbyname(group)[group]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.SID_KEY] == group_sid
output = pysss_nss_idmap.getsidbyid(group_id)[group_id]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.SID_KEY] == group_sid
output = pysss_nss_idmap.getsidbygid(group_id)[group_id]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.SID_KEY] == group_sid
output = pysss_nss_idmap.getsidbyuid(group_id)
assert len(output) == 0
output = pysss_nss_idmap.getidbysid(group_sid)[group_sid]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.ID_KEY] == group_id
output = pysss_nss_idmap.getnamebysid(group_sid)[group_sid]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.NAME_KEY] == group
def test_user_operations(ldap_conn, simple_ad):
user = '******'
user_id = pwd.getpwnam(user).pw_uid
user_sid = 'S-1-5-21-1305200397-2901131868-73388776-82809'
output = pysss_nss_idmap.getsidbyname(user)[user]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_USER
assert output[pysss_nss_idmap.SID_KEY] == user_sid
output = pysss_nss_idmap.getsidbyid(user_id)[user_id]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_USER
assert output[pysss_nss_idmap.SID_KEY] == user_sid
output = pysss_nss_idmap.getsidbyuid(user_id)[user_id]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_USER
assert output[pysss_nss_idmap.SID_KEY] == user_sid
output = pysss_nss_idmap.getsidbygid(user_id)
assert len(output) == 0
output = pysss_nss_idmap.getidbysid(user_sid)[user_sid]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_USER
assert output[pysss_nss_idmap.ID_KEY] == user_id
output = pysss_nss_idmap.getnamebysid(user_sid)[user_sid]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_USER
assert output[pysss_nss_idmap.NAME_KEY] == user
def test_group_operations(ldap_conn, simple_ad):
group = 'group1_dom1-19661'
group_id = grp.getgrnam(group).gr_gid
group_sid = 'S-1-5-21-1305200397-2901131868-73388776-82810'
output = pysss_nss_idmap.getsidbyname(group)[group]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.SID_KEY] == group_sid
output = pysss_nss_idmap.getsidbyid(group_id)[group_id]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.SID_KEY] == group_sid
output = pysss_nss_idmap.getsidbygid(group_id)[group_id]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.SID_KEY] == group_sid
output = pysss_nss_idmap.getsidbyuid(group_id)
assert len(output) == 0
output = pysss_nss_idmap.getidbysid(group_sid)[group_sid]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.ID_KEY] == group_id
output = pysss_nss_idmap.getnamebysid(group_sid)[group_sid]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.NAME_KEY] == group
def get_trusted_domain_user_and_groups(self, object_name):
"""
Returns a tuple with user SID and a list of SIDs of all groups he is
a member of.
First attempts to perform SID lookup via SSSD and in case of failure
resorts back to checking trusted domain's AD DC LDAP directly.
LIMITATIONS:
- only Trusted Admins group members can use this function as it
uses secret for IPA-Trusted domain link if SSSD lookup failed
- List of group SIDs does not contain group memberships outside
of the trusted domain
"""
group_sids = None
group_list = None
object_sid = None
is_valid_sid = is_sid_valid(object_name)
if is_valid_sid:
object_sid = object_name
result = pysss_nss_idmap.getnamebysid(object_name)
if object_name in result and (pysss_nss_idmap.NAME_KEY in result[object_name]):
group_list = pysss.getgrouplist(result[object_name][pysss_nss_idmap.NAME_KEY])
else:
result = pysss_nss_idmap.getsidbyname(object_name)
if object_name in result and (pysss_nss_idmap.SID_KEY in result[object_name]):
object_sid = result[object_name][pysss_nss_idmap.SID_KEY]
group_list = pysss.getgrouplist(object_name)
if not group_list:
return self.__get_trusted_domain_user_and_groups(object_name)
group_sids = pysss_nss_idmap.getsidbyname(group_list)
return (object_sid, [el[1][pysss_nss_idmap.SID_KEY] for el in group_sids.items()])
def test_case_insensitive(ldap_conn, simple_ad):
# resolve group and also member of this group
group = 'Domain Users'
group_id = grp.getgrnam(group).gr_gid
group_sid = 'S-1-5-21-1305200397-2901131868-73388776-513'
output = pysss_nss_idmap.getsidbyname(group)[group]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.SID_KEY] == group_sid
output = pysss_nss_idmap.getsidbyid(group_id)[group_id]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.SID_KEY] == group_sid
output = pysss_nss_idmap.getsidbygid(group_id)[group_id]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.SID_KEY] == group_sid
output = pysss_nss_idmap.getsidbyuid(group_id)
assert len(output) == 0
output = pysss_nss_idmap.getidbysid(group_sid)[group_sid]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.ID_KEY] == group_id
output = pysss_nss_idmap.getnamebysid(group_sid)[group_sid]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.NAME_KEY] == group.lower()
def test_group_operations(ldap_conn, simple_ad):
group = 'group3_dom1-17775'
group_id = grp.getgrnam(group).gr_gid
group_sid = 'S-1-5-21-1305200397-2901131868-73388776-82764'
output = pysss_nss_idmap.getsidbyname(group)[group]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.SID_KEY] == group_sid
output = pysss_nss_idmap.getsidbyid(group_id)[group_id]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.SID_KEY] == group_sid
output = pysss_nss_idmap.getsidbygid(group_id)[group_id]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.SID_KEY] == group_sid
output = pysss_nss_idmap.getsidbyuid(group_id)
assert len(output) == 0
output = pysss_nss_idmap.getidbysid(group_sid)[group_sid]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.ID_KEY] == group_id
output = pysss_nss_idmap.getnamebysid(group_sid)[group_sid]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP
assert output[pysss_nss_idmap.NAME_KEY] == group
def test_user_operations(ldap_conn, simple_ad):
user = '******'
user_id = pwd.getpwnam(user).pw_uid
user_sid = 'S-1-5-21-1305200397-2901131868-73388776-82809'
output = pysss_nss_idmap.getsidbyname(user)[user]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_USER
assert output[pysss_nss_idmap.SID_KEY] == user_sid
output = pysss_nss_idmap.getsidbyid(user_id)[user_id]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_USER
assert output[pysss_nss_idmap.SID_KEY] == user_sid
output = pysss_nss_idmap.getsidbyuid(user_id)[user_id]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_USER
assert output[pysss_nss_idmap.SID_KEY] == user_sid
output = pysss_nss_idmap.getsidbygid(user_id)
assert len(output) == 0
output = pysss_nss_idmap.getidbysid(user_sid)[user_sid]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_USER
assert output[pysss_nss_idmap.ID_KEY] == user_id
output = pysss_nss_idmap.getnamebysid(user_sid)[user_sid]
assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_USER
assert output[pysss_nss_idmap.NAME_KEY] == user
def check(self):
if not self.registry.trust_agent:
logger.debug('Not a trust agent, skipping')
return
try:
trust_domains = get_trust_domains()
except Exception as e:
yield Result(self,
constants.WARNING,
key='trust-find',
error=str(e),
msg='Execution of {key} failed: {error}')
trust_domains = []
for trust_domain in trust_domains:
sid = trust_domain.get('domainsid')
try:
id = pysss_nss_idmap.getnamebysid(sid + '-500')
except Exception as e:
yield Result(self,
constants.ERROR,
key=sid,
error=str(e),
msg='Look up of{key} failed: {error}')
continue
if not id:
yield Result(self,
constants.WARNING,
key=sid,
error='returned nothing',
msg='Look up of {key} {error}')
else:
yield Result(self,
constants.SUCCESS,
key='Domain Security Identifier',
sid=sid)
domain = trust_domain.get('domain')
args = [paths.SSSCTL, "domain-status", domain, "--active-server"]
try:
result = ipautil.run(args, capture_output=True)
except Exception as e:
yield Result(self,
constants.ERROR,
key='domain-status',
error=str(e),
msg='Execution of {key} failed: {error}')
continue
else:
for txt in ['AD Global Catalog', 'AD Domain Controller']:
if txt not in result.output:
yield Result(self,
constants.ERROR,
key=txt,
output=result.output.strip(),
sssctl=paths.SSSCTL,
domain=domain,
msg='{key} not found in {sssctl} '
'\'domain-status\' output: {output}')
else:
yield Result(self,
constants.SUCCESS,
key=txt,
domain=domain)
