From: Joseph Sutton Date: Wed, 23 Feb 2022 22:05:57 +0000 (+1300) Subject: samba-tool: Check specified domain and realm against our own X-Git-Tag: tevent-0.12.0~228 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0bd4bc40f4ad29446577d23e84e059e5bb1e5de5;p=thirdparty%2Fsamba.git samba-tool: Check specified domain and realm against our own Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Mar 28 03:11:51 UTC 2022 on sn-devel-184 --- diff --git a/python/samba/netcmd/common.py b/python/samba/netcmd/common.py index 9564da030e2..4cdccd073ba 100644 --- a/python/samba/netcmd/common.py +++ b/python/samba/netcmd/common.py @@ -20,6 +20,7 @@ import re from samba.dcerpc import nbt from samba.net import Net +from samba.netcmd import CommandError import ldb @@ -27,26 +28,44 @@ import ldb NEVER_TIMESTAMP = int(-0x8000000000000000) -def _get_user_realm_domain(user): +def _get_user_realm_domain(user, sam=None): r""" get the realm or the domain and the base user from user like: * username * DOMAIN\username * username@REALM + + A SamDB object can also be passed in to check + our domain or realm against the obtained ones. """ baseuser = user - realm = "" - domain = "" m = re.match(r"(\w+)\\(\w+$)", user) if m: domain = m.group(1) baseuser = m.group(2) - return (baseuser.lower(), realm, domain.upper()) + + if sam is not None: + our_domain = sam.domain_netbios_name() + if domain.lower() != our_domain.lower(): + raise CommandError(f"Given domain '{domain}' does not match " + f"our domain '{our_domain}'!") + + return (baseuser.lower(), "", domain.upper()) + + realm = "" m = re.match(r"(\w+)@(\w+)", user) if m: baseuser = m.group(1) realm = m.group(2) - return (baseuser.lower(), realm.upper(), domain) + + if sam is not None: + our_realm = sam.domain_dns_name() + our_realm_initial = our_realm.split('.', 1)[0] + if realm.lower() != our_realm_initial.lower(): + raise CommandError(f"Given realm '{realm}' does not match our " + f"realm '{our_realm}'!") + + return (baseuser.lower(), realm.upper(), "") def netcmd_dnsname(lp): diff --git a/python/samba/netcmd/delegation.py b/python/samba/netcmd/delegation.py index 15947cc67a3..35a91aca458 100644 --- a/python/samba/netcmd/delegation.py +++ b/python/samba/netcmd/delegation.py @@ -150,7 +150,8 @@ class cmd_delegation_show(Command): credentials=creds, lp=lp) # TODO once I understand how, use the domain info to naildown # to the correct domain - (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname) + (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname, + sam) res = sam.search(expression="sAMAccountName=%s" % ldb.binary_encode(cleanedaccount), @@ -227,7 +228,8 @@ class cmd_delegation_for_any_service(Command): credentials=creds, lp=lp) # TODO once I understand how, use the domain info to naildown # to the correct domain - (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname) + (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname, + sam) search_filter = "sAMAccountName=%s" % ldb.binary_encode(cleanedaccount) flag = dsdb.UF_TRUSTED_FOR_DELEGATION @@ -280,7 +282,8 @@ class cmd_delegation_for_any_protocol(Command): credentials=creds, lp=lp) # TODO once I understand how, use the domain info to naildown # to the correct domain - (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname) + (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname, + sam) search_filter = "sAMAccountName=%s" % ldb.binary_encode(cleanedaccount) flag = dsdb.UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION @@ -325,7 +328,8 @@ class cmd_delegation_add_service(Command): credentials=creds, lp=lp) # TODO once I understand how, use the domain info to naildown # to the correct domain - (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname) + (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname, + sam) res = sam.search(expression="sAMAccountName=%s" % ldb.binary_encode(cleanedaccount), @@ -379,7 +383,8 @@ class cmd_delegation_del_service(Command): credentials=creds, lp=lp) # TODO once I understand how, use the domain info to naildown # to the correct domain - (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname) + (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname, + sam) res = sam.search(expression="sAMAccountName=%s" % ldb.binary_encode(cleanedaccount), @@ -433,7 +438,7 @@ class cmd_delegation_add_principal(Command): credentials=creds, lp=lp) # TODO once I understand how, use the domain info to naildown # to the correct domain - cleanedaccount, _, _ = _get_user_realm_domain(accountname) + cleanedaccount, _, _ = _get_user_realm_domain(accountname, sam) account_res = sam.search( expression="sAMAccountName=%s" % @@ -476,7 +481,7 @@ class cmd_delegation_add_principal(Command): # TODO once I understand how, use the domain info to naildown # to the correct domain - cleanedprinc, _, _ = _get_user_realm_domain(principal) + cleanedprinc, _, _ = _get_user_realm_domain(principal, sam) princ_res = sam.search(expression="sAMAccountName=%s" % ldb.binary_encode(cleanedprinc), @@ -576,7 +581,7 @@ class cmd_delegation_del_principal(Command): credentials=creds, lp=lp) # TODO once I understand how, use the domain info to naildown # to the correct domain - cleanedaccount, _, _ = _get_user_realm_domain(accountname) + cleanedaccount, _, _ = _get_user_realm_domain(accountname, sam) account_res = sam.search( expression="sAMAccountName=%s" % @@ -611,8 +616,7 @@ class cmd_delegation_del_principal(Command): # TODO once I understand how, use the domain info to naildown # to the correct domain - cleanedprinc, _, _ = _get_user_realm_domain( - principal) + cleanedprinc, _, _ = _get_user_realm_domain(principal, sam) princ_res = sam.search(expression="sAMAccountName=%s" % ldb.binary_encode(cleanedprinc), diff --git a/python/samba/netcmd/spn.py b/python/samba/netcmd/spn.py index 2676ff34fac..ab79e9ceeab 100644 --- a/python/samba/netcmd/spn.py +++ b/python/samba/netcmd/spn.py @@ -56,7 +56,7 @@ class cmd_spn_list(Command): credentials=creds, lp=lp) # TODO once I understand how, use the domain info to naildown # to the correct domain - (cleaneduser, realm, domain) = _get_user_realm_domain(user) + (cleaneduser, realm, domain) = _get_user_realm_domain(user, sam) self.outf.write(cleaneduser + "\n") res = sam.search( expression="samaccountname=%s" % ldb.binary_encode(cleaneduser), @@ -107,7 +107,7 @@ class cmd_spn_add(Command): raise CommandError("Service principal %s already" " affected to another user" % name) - (cleaneduser, realm, domain) = _get_user_realm_domain(user) + (cleaneduser, realm, domain) = _get_user_realm_domain(user, sam) res = sam.search( expression="samaccountname=%s" % ldb.binary_encode(cleaneduser), scope=ldb.SCOPE_SUBTREE, attrs=["servicePrincipalName"])