def get_trusted_domain_user_and_groups(self, object_name): """ Returns a tuple with user SID and a list of SIDs of all groups he is a member of. First attempts to perform SID lookup via SSSD and in case of failure resorts back to checking trusted domain's AD DC LDAP directly. LIMITATIONS: - only Trusted Admins group members can use this function as it uses secret for IPA-Trusted domain link if SSSD lookup failed - List of group SIDs does not contain group memberships outside of the trusted domain """ group_sids = None group_list = None object_sid = None is_valid_sid = is_sid_valid(object_name) if is_valid_sid: object_sid = object_name result = pysss_nss_idmap.getnamebysid(object_name) if object_name in result and (pysss_nss_idmap.NAME_KEY in result[object_name]): group_list = pysss.getgrouplist(result[object_name][pysss_nss_idmap.NAME_KEY]) else: result = pysss_nss_idmap.getsidbyname(object_name) if object_name in result and (pysss_nss_idmap.SID_KEY in result[object_name]): object_sid = result[object_name][pysss_nss_idmap.SID_KEY] group_list = pysss.getgrouplist(object_name) if not group_list: return self.__get_trusted_domain_user_and_groups(object_name) group_sids = pysss_nss_idmap.getsidbyname(group_list) return (object_sid, [el[1][pysss_nss_idmap.SID_KEY] for el in group_sids.items()])
def test_ignore_unreadable_references(ldap_conn, simple_ad_ignore_unrdbl_refs): group = 'group3_dom1-17775' group_id = grp.getgrnam(group).gr_gid group_sid = 'S-1-5-21-1305200397-2901131868-73388776-82764' output = pysss_nss_idmap.getsidbyname(group)[group] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.SID_KEY] == group_sid output = pysss_nss_idmap.getsidbyid(group_id)[group_id] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.SID_KEY] == group_sid output = pysss_nss_idmap.getsidbygid(group_id)[group_id] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.SID_KEY] == group_sid output = pysss_nss_idmap.getsidbyuid(group_id) assert len(output) == 0 output = pysss_nss_idmap.getidbysid(group_sid)[group_sid] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.ID_KEY] == group_id output = pysss_nss_idmap.getnamebysid(group_sid)[group_sid] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.NAME_KEY] == group
def test_case_insensitive(ldap_conn, simple_ad): # resolve group and also member of this group group = 'Domain Users' group_id = grp.getgrnam(group).gr_gid group_sid = 'S-1-5-21-1305200397-2901131868-73388776-513' output = pysss_nss_idmap.getsidbyname(group)[group] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.SID_KEY] == group_sid output = pysss_nss_idmap.getsidbyid(group_id)[group_id] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.SID_KEY] == group_sid output = pysss_nss_idmap.getsidbygid(group_id)[group_id] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.SID_KEY] == group_sid output = pysss_nss_idmap.getsidbyuid(group_id) assert len(output) == 0 output = pysss_nss_idmap.getidbysid(group_sid)[group_sid] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.ID_KEY] == group_id output = pysss_nss_idmap.getnamebysid(group_sid)[group_sid] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.NAME_KEY] == group.lower()
def test_group_operations(ldap_conn, simple_ad): group = 'group1_dom1-19661' group_id = grp.getgrnam(group).gr_gid group_sid = 'S-1-5-21-1305200397-2901131868-73388776-82810' output = pysss_nss_idmap.getsidbyname(group)[group] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.SID_KEY] == group_sid output = pysss_nss_idmap.getsidbyid(group_id)[group_id] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.SID_KEY] == group_sid output = pysss_nss_idmap.getsidbygid(group_id)[group_id] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.SID_KEY] == group_sid output = pysss_nss_idmap.getsidbyuid(group_id) assert len(output) == 0 output = pysss_nss_idmap.getidbysid(group_sid)[group_sid] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.ID_KEY] == group_id output = pysss_nss_idmap.getnamebysid(group_sid)[group_sid] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.NAME_KEY] == group
def test_user_operations(ldap_conn, simple_ad): user = '******' user_id = pwd.getpwnam(user).pw_uid user_sid = 'S-1-5-21-1305200397-2901131868-73388776-82809' output = pysss_nss_idmap.getsidbyname(user)[user] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_USER assert output[pysss_nss_idmap.SID_KEY] == user_sid output = pysss_nss_idmap.getsidbyid(user_id)[user_id] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_USER assert output[pysss_nss_idmap.SID_KEY] == user_sid output = pysss_nss_idmap.getsidbyuid(user_id)[user_id] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_USER assert output[pysss_nss_idmap.SID_KEY] == user_sid output = pysss_nss_idmap.getsidbygid(user_id) assert len(output) == 0 output = pysss_nss_idmap.getidbysid(user_sid)[user_sid] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_USER assert output[pysss_nss_idmap.ID_KEY] == user_id output = pysss_nss_idmap.getnamebysid(user_sid)[user_sid] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_USER assert output[pysss_nss_idmap.NAME_KEY] == user
def get_trusted_domain_object_sid(self, object_name): result = pysss_nss_idmap.getsidbyname(object_name) if object_name in result and (pysss_nss_idmap.SID_KEY in result[object_name]): object_sid = result[object_name][pysss_nss_idmap.SID_KEY] return object_sid # Else, we are going to contact AD DC LDAP components = normalize_name(object_name) if not ('domain' in components or 'flatname' in components): # No domain or realm specified, ambiguous search raise errors.ValidationError(name=_('trusted domain object'), error= _('Ambiguous search, user domain was not specified')) attrs = ['objectSid'] filter = '(&(sAMAccountName=%(name)s)(|(objectClass=user)(objectClass=group)))' \ % dict(name=components['name']) scope = _ldap.SCOPE_SUBTREE entries = self.get_trusted_domain_objects(components.get('domain'), components.get('flatname'), filter, attrs, scope) if len(entries) > 1: # Treat non-unique entries as invalid raise errors.ValidationError(name=_('trusted domain object'), error= _('Trusted domain did not return a unique object')) sid = self.__sid_to_str(entries[0][1]['objectSid'][0]) try: test_sid = security.dom_sid(sid) return unicode(test_sid) except TypeError, e: raise errors.ValidationError(name=_('trusted domain object'), error= _('Trusted domain did not return a valid SID for the object'))
def test_group_operations(ldap_conn, simple_ad): group = 'group3_dom1-17775' group_id = grp.getgrnam(group).gr_gid group_sid = 'S-1-5-21-1305200397-2901131868-73388776-82764' output = pysss_nss_idmap.getsidbyname(group)[group] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.SID_KEY] == group_sid output = pysss_nss_idmap.getsidbyid(group_id)[group_id] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.SID_KEY] == group_sid output = pysss_nss_idmap.getsidbygid(group_id)[group_id] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.SID_KEY] == group_sid output = pysss_nss_idmap.getsidbyuid(group_id) assert len(output) == 0 output = pysss_nss_idmap.getidbysid(group_sid)[group_sid] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.ID_KEY] == group_id output = pysss_nss_idmap.getnamebysid(group_sid)[group_sid] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.NAME_KEY] == group
def wbinfo_getsid(domain, user): ''' Get SID using wbinfo ''' # This part works only on client username = '******'.format(domain.upper(), user) sid = pysss_nss_idmap.getsidbyname(username) if username in sid: return sid[username]['sid'] # This part works only on DC wbinfo_cmd = ['wbinfo', '-n', username] output = subprocess.check_output(wbinfo_cmd) sid = output.split()[0].decode('utf-8') return sid