def rsop(self, gpo):
output = {}
pol_file = 'MACHINE/Registry.pol'
section = 'Software\Policies\Microsoft\Cryptography\AutoEnrollment'
if gpo.file_sys_path:
path = os.path.join(gpo.file_sys_path, pol_file)
pol_conf = self.parse(path)
if not pol_conf:
return output
for e in pol_conf.entries:
if e.keyname == section and e.valuename == 'AEPolicy':
enroll = e.data & 0x1 == 1
if e.data == 0x8000 or not enroll:
continue
output['Auto Enrollment Policy'] = {}
url = 'ldap://%s' % get_dc_hostname(self.creds, self.lp)
ldb = Ldb(url=url, session_info=system_session(),
lp=self.lp, credentials=self.creds)
cas = fetch_certification_authorities(ldb)
for ca in cas:
policy = 'Auto Enrollment Policy'
cn = ca['cn'][0]
output[policy][cn] = {}
output[policy][cn]['CA Certificate'] = \
format_root_cert(ca['cACertificate'][0]).decode()
output[policy][cn]['Auto Enrollment Server'] = \
ca['dNSHostName'][0]
supported_templates = \
get_supported_templates(ca['dNSHostName'][0],
self.logger)
output[policy][cn]['Templates'] = \
[t.decode() for t in supported_templates]
return output
def process_group_policy(self, deleted_gpo_list, changed_gpo_list,
trust_dir=None, private_dir=None):
if trust_dir is None:
trust_dir = self.lp.cache_path('certs')
if private_dir is None:
private_dir = self.lp.private_path('certs')
if not os.path.exists(trust_dir):
os.mkdir(trust_dir, mode=0o755)
if not os.path.exists(private_dir):
os.mkdir(private_dir, mode=0o700)
for guid, settings in deleted_gpo_list:
self.gp_db.set_guid(guid)
if str(self) in settings:
for ca_cn_enc, data in settings[str(self)].items():
ca_cn = base64.b64decode(ca_cn_enc)
data = json.loads(data)
getcert = which('getcert')
if getcert is not None:
Popen([getcert, 'remove-ca', '-c', ca_cn]).wait()
for nickname in data['templates']:
Popen([getcert, 'stop-tracking',
'-i', nickname]).wait()
for f in data['files']:
if os.path.exists(f):
os.unlink(f)
self.gp_db.delete(str(self), ca_cn_enc)
self.gp_db.commit()
for gpo in changed_gpo_list:
if gpo.file_sys_path:
section = 'Software\Policies\Microsoft\Cryptography\AutoEnrollment'
self.gp_db.set_guid(gpo.name)
pol_file = 'MACHINE/Registry.pol'
path = os.path.join(gpo.file_sys_path, pol_file)
pol_conf = self.parse(path)
if not pol_conf:
continue
for e in pol_conf.entries:
if e.keyname == section and e.valuename == 'AEPolicy':
# This policy applies as specified in [MS-CAESO] 4.4.5.1
if e.data == 0x8000:
continue # The policy is disabled
enroll = e.data & 0x1 == 1
manage = e.data & 0x2 == 1
retrive_pending = e.data & 0x4 == 1
if enroll:
url = 'ldap://%s' % get_dc_hostname(self.creds,
self.lp)
ldb = Ldb(url=url, session_info=system_session(),
lp=self.lp, credentials=self.creds)
cas = fetch_certification_authorities(ldb)
for ca in cas:
data = cert_enroll(ca, trust_dir,
private_dir, self.logger)
self.gp_db.store(str(self),
base64.b64encode(ca['cn'][0]).decode(),
data)
self.gp_db.commit()
def set_dc(self, dc_fqdn):
'''
Force selection of the specified DC
'''
self.selected_dc = None
try:
if dc_fqdn is not None:
logdata = dict()
logdata['user_dc'] = dc_fqdn
log('D38', logdata)
self.selected_dc = dc_fqdn
else:
self.selected_dc = get_dc_hostname(self.creds, self.lp)
except Exception as exc:
logdata = dict()
logdata['msg'] = str(exc)
log('E10', logdata)
raise exc
def set_dc(self, dc_fqdn):
'''
Force selection of the specified DC
'''
self.selected_dc = None
try:
samba_dc = get_dc_hostname(self.creds, self.lp)
if samba_dc != dc_fqdn and dc_fqdn != None:
logging.debug(
slogm(
'Samba DC setting is {} and is overwritten by user setting {}'
.format(samba_dc, dc)))
self.selected_dc = dc_fqdn
else:
self.selected_dc = samba_dc
except:
logging.error(slogm('Unable to determine DC hostname'))
return self.selected_dc