From: David Mulder <dmulder@suse.com>
Date: Thu, 12 May 2022 19:24:07 +0000 (-0600)
Subject: gpo: Cert Auto Enroll use ldap trust cert if NDES disabled
X-Git-Tag: talloc-2.3.4~142
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8231eaf856b11bce5cec0b31129f709d0d6d2cc7;p=thirdparty%2Fsamba.git

gpo: Cert Auto Enroll use ldap trust cert if NDES disabled

If the CA does not have the Network Device
Enrollment Service enabled, we can still use the
certificate from the ldap request (unless this is
a complex request and ldap config isn't present).

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri May 13 15:38:53 UTC 2022 on sn-devel-184
---

diff --git a/python/samba/gp_cert_auto_enroll_ext.py b/python/samba/gp_cert_auto_enroll_ext.py
index 6f84f174b2b..680525c9ced 100644
--- a/python/samba/gp_cert_auto_enroll_ext.py
+++ b/python/samba/gp_cert_auto_enroll_ext.py
@@ -194,9 +194,9 @@ def get_supported_templates(server):
     return []
 
 
-def getca(ca_name, url, trust_dir):
+def getca(ca, url, trust_dir):
     """Fetch Certificate Chain from the CA."""
-    root_cert = os.path.join(trust_dir, '%s.crt' % ca_name)
+    root_cert = os.path.join(trust_dir, '%s.crt' % ca['name'])
     root_certs = []
 
     try:
@@ -205,10 +205,21 @@ def getca(ca_name, url, trust_dir):
     except requests.exceptions.ConnectionError:
         log.warn('Failed to establish a new connection')
         r = None
-    if r is None or r.content == b'':
+    if r is None or r.content == b'' or r.headers['Content-Type'] == 'text/html':
         log.warn('Failed to fetch the root certificate chain.')
-        log.warn('Ensure you have installed and configured the'
-                 ' Network Device Enrollment Service.')
+        log.warn('The Network Device Enrollment Service is either not' +
+                 ' installed or not configured.')
+        if 'cACertificate' in ca:
+            log.warn('Installing the server certificate only.')
+            try:
+                cert = load_der_x509_certificate(ca['cACertificate'])
+            except TypeError:
+                cert = load_der_x509_certificate(ca['cACertificate'],
+                                                 default_backend())
+            cert_data = cert.public_bytes(Encoding.PEM)
+            with open(root_cert, 'wb') as w:
+                w.write(cert_data)
+            root_certs.append(root_cert)
         return root_certs
 
     if r.headers['Content-Type'] == 'application/x-x509-ca-cert':
@@ -239,7 +250,7 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'):
     """Install the root certificate chain."""
     data = {'files': [], 'templates': []}
     url = 'http://%s/CertSrv/mscep/mscep.dll/pkiclient.exe?' % ca['hostname']
-    root_certs = getca(ca['name'], url, trust_dir)
+    root_certs = getca(ca, url, trust_dir)
     data['files'].extend(root_certs)
     for src in root_certs:
         # Symlink the certs to global trust dir