From: Gabriel Nagy Date: Wed, 16 Aug 2023 22:05:54 +0000 (+0300) Subject: gp: Support more global trust directories X-Git-Tag: tevent-0.16.0~802 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a1b285e485c0b5a8747499bdbbb9f3f4fc025b2f;p=thirdparty%2Fsamba.git gp: Support more global trust directories In addition to the SUSE global trust directory, add support for RHEL and Debian-based distributions (including Ubuntu). To determine the correct directory to use, we iterate over the variants and stop at the first which is a directory. In case none is found, fallback to the first option which will produce a warning as it did previously. Signed-off-by: Gabriel Nagy Reviewed-by: Joseph Sutton Reviewed-by: David Mulder --- diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py index 312c8ddf467..1b90ab46e90 100644 --- a/python/samba/gp/gp_cert_auto_enroll_ext.py +++ b/python/samba/gp/gp_cert_auto_enroll_ext.py @@ -45,10 +45,12 @@ cert_wrap = b""" -----BEGIN CERTIFICATE----- %s -----END CERTIFICATE-----""" -global_trust_dir = '/etc/pki/trust/anchors' endpoint_re = '(https|HTTPS)://(?P[a-zA-Z0-9.-]+)/ADPolicyProvider' + \ '_CEP_(?P[a-zA-Z]+)/service.svc/CEP' +global_trust_dirs = ['/etc/pki/trust/anchors', # SUSE + '/etc/pki/ca-trust/source/anchors', # RHEL/Fedora + '/usr/local/share/ca-certificates'] # Debian/Ubuntu def octet_string_to_objectGUID(data): """Convert an octet string to an objectGUID.""" @@ -249,12 +251,20 @@ def getca(ca, url, trust_dir): return root_certs +def find_global_trust_dir(): + """Return the global trust dir using known paths from various Linux distros.""" + for trust_dir in global_trust_dirs: + if os.path.isdir(trust_dir): + return trust_dir + return global_trust_dirs[0] + def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'): """Install the root certificate chain.""" data = dict({'files': [], 'templates': []}, **ca) url = 'http://%s/CertSrv/mscep/mscep.dll/pkiclient.exe?' % ca['hostname'] root_certs = getca(ca, url, trust_dir) data['files'].extend(root_certs) + global_trust_dir = find_global_trust_dir() for src in root_certs: # Symlink the certs to global trust dir dst = os.path.join(global_trust_dir, os.path.basename(src))