|
217 |
|
217 |
|
218 |
(previous_dns_ucr_set, previous_dns_ucr_unset) = set_nameserver([ad_server_ip], ucr) |
218 |
(previous_dns_ucr_set, previous_dns_ucr_unset) = set_nameserver([ad_server_ip], ucr) |
219 |
(previous_krb_ucr_set, previous_krb_ucr_unset) = prepare_kerberos_ucr_settings(realm=ad_realm, ucr=ucr) |
219 |
(previous_krb_ucr_set, previous_krb_ucr_unset) = prepare_kerberos_ucr_settings(realm=ad_realm, ucr=ucr) |
|
|
220 |
(previous_host_static_ucr_set, previous_host_static_ucr_unset) = prepare_dns_reverse_settings(ad_domain_info) |
220 |
|
221 |
|
221 |
try: |
222 |
try: |
222 |
principal = "%s@%s" % (username, ad_realm) |
223 |
principal = "%s@%s" % (username, ad_realm) |
223 |
_get_kerberos_ticket(principal, password, ucr) |
224 |
_get_kerberos_ticket(principal, password, ucr) |
224 |
auth = ldap.sasl.gssapi("") |
225 |
auth = ldap.sasl.gssapi("") |
225 |
prepare_dns_reverse_settings(ad_domain_info) |
|
|
226 |
except Exception: |
226 |
except Exception: |
227 |
set_ucr(previous_dns_ucr_set, previous_dns_ucr_unset) |
227 |
set_ucr(previous_dns_ucr_set, previous_dns_ucr_unset) |
228 |
set_ucr(previous_krb_ucr_set, previous_krb_ucr_unset) |
228 |
set_ucr(previous_krb_ucr_set, previous_krb_ucr_unset) |
|
|
229 |
set_ucr(previous_host_static_ucr_set, previous_host_static_ucr_unset) |
229 |
raise |
230 |
raise |
230 |
|
231 |
|
231 |
## Ok, ready and set for kerberized LDAP lookup |
232 |
## Ok, ready and set for kerberized LDAP lookup |
|
239 |
finally: |
240 |
finally: |
240 |
set_ucr(previous_dns_ucr_set, previous_dns_ucr_unset) |
241 |
set_ucr(previous_dns_ucr_set, previous_dns_ucr_unset) |
241 |
set_ucr(previous_krb_ucr_set, previous_krb_ucr_unset) |
242 |
set_ucr(previous_krb_ucr_set, previous_krb_ucr_unset) |
|
|
243 |
set_ucr(previous_host_static_ucr_set, previous_host_static_ucr_unset) |
242 |
|
244 |
|
243 |
res = lo_ad.search(scope="base", attr=["objectSid"]) |
245 |
res = lo_ad.search(scope="base", attr=["objectSid"]) |
244 |
if not res or not "objectSid" in res[0][1]: |
246 |
if not res or not "objectSid" in res[0][1]: |
|
912 |
def prepare_dns_reverse_settings(ad_domain_info): |
914 |
def prepare_dns_reverse_settings(ad_domain_info): |
913 |
## For python-ldap / GSSAPI / AD we need working reverse DNS lookups |
915 |
## For python-ldap / GSSAPI / AD we need working reverse DNS lookups |
914 |
## Otherwise one ends up with: |
916 |
## Otherwise one ends up with: |
|
|
917 |
## |
915 |
## SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text) |
918 |
## SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text) |
916 |
## (Matching credential (ldap/10.20.30.123@10.20.30.123) not found) |
919 |
## (Matching credential (ldap/10.20.30.123@10.20.30.123) not found) |
|
|
920 |
## |
921 |
## Or even worse, in case there had been a (nscd cached?) PTR record |
922 |
## in the ucs.domain: |
923 |
## |
924 |
## SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text) |
925 |
## (Matching credential (ldap/adhost.ucs.domain@UCS.DOMAIN) not found) |
926 |
## |
927 |
|
928 |
## Flush the cache, just in case |
929 |
if os.path.exists("/usr/sbin/nscd"): |
930 |
cmd = ("/usr/sbin/nscd", "--invalidate=hosts") |
931 |
p1 = subprocess.Popen(cmd, close_fds=True) |
932 |
p1.communicate() |
933 |
|
934 |
## Test DNS resolution (just for fun) |
917 |
try: |
935 |
try: |
918 |
socket.gethostbyaddr(ad_domain_info['DC IP']) |
936 |
hostname, aliaslist, ipaddrlist = socket.gethostbyaddr(ad_domain_info['DC IP']) |
919 |
except socket.herror: |
937 |
ud.debug(ud.MODULE, ud.INFO, "%s resolves to %s" % (ad_domain_info['DC IP'], hostname)) |
920 |
ad_server_name = ad_domain_info['DC DNS Name'] |
938 |
except (socket.herror, socket.gaierror) as exc: |
921 |
ip = socket.gethostbyname(ad_server_name) |
939 |
ud.debug(ud.MODULE, ud.INFO, "Resolving %s failed: %s" % (ad_domain_info['DC IP'], exc.args[1])) |
922 |
ucr_key = u'hosts/static/%s' % (ip,) |
|
|
923 |
ucr_set = [ u'%s=%s' % (ucr_key, ad_server_name), ] |
924 |
univention.config_registry.handler_set(ucr_set) |
925 |
if os.path.exists("/usr/sbin/nscd"): |
926 |
cmd = ("/usr/sbin/nscd", "--invalidate=hosts") |
927 |
p1 = subprocess.Popen(cmd, close_fds=True) |
928 |
p1.communicate() |
929 |
|
930 |
|
940 |
|
|
|
941 |
## Set a hosts/static anyway, to be safe from DNS issues (Bug #38285) |
942 |
previous_ucr_set = [] |
943 |
previous_ucr_unset = [] |
944 |
|
945 |
ad_server_name = ad_domain_info['DC DNS Name'] |
946 |
ip = socket.gethostbyname(ad_server_name) |
947 |
ucr_key = u'hosts/static/%s' % (ip,) |
948 |
ucr_set = [ u'%s=%s' % (ucr_key, ad_server_name), ] |
949 |
|
950 |
for setting in ucr_set: |
951 |
var = setting.split("=", 1)[0] |
952 |
old_val = ucr.get(var) |
953 |
if old_val is not None: |
954 |
previous_ucr_set.append(u'%s=%s' % (var, old_val)) |
955 |
else: |
956 |
previous_ucr_unset.append(u'%s' % (var,)) |
957 |
|
958 |
ud.debug(ud.MODULE, ud.PROCESS, "Setting UCR variables: %s" % ucr_set) |
959 |
univention.config_registry.handler_set(ucr_set) |
960 |
|
961 |
return (previous_ucr_set, previous_ucr_unset) |
962 |
|
931 |
def prepare_kerberos_ucr_settings(realm=None, ucr=None): |
963 |
def prepare_kerberos_ucr_settings(realm=None, ucr=None): |
932 |
ud.debug(ud.MODULE, ud.PROCESS, "Prepare Kerberos UCR settings") |
964 |
ud.debug(ud.MODULE, ud.PROCESS, "Prepare Kerberos UCR settings") |
933 |
|
965 |
|