|
0 |
- |
1 |
#!/usr/bin/python2.7 |
|
|
2 |
# coding: utf-8 |
3 |
# |
4 |
# Univention Management Console module: |
5 |
# System Diagnosis UMC module |
6 |
# |
7 |
# Copyright 2017 Univention GmbH |
8 |
# |
9 |
# http://www.univention.de/ |
10 |
# |
11 |
# All rights reserved. |
12 |
# |
13 |
# The source code of this program is made available |
14 |
# under the terms of the GNU Affero General Public License version 3 |
15 |
# (GNU AGPL V3) as published by the Free Software Foundation. |
16 |
# |
17 |
# Binary versions of this program provided by Univention to you as |
18 |
# well as other copyrighted, protected or trademarked materials like |
19 |
# Logos, graphics, fonts, specific documentations and configurations, |
20 |
# cryptographic keys etc. are subject to a license agreement between |
21 |
# you and Univention and not subject to the GNU AGPL V3. |
22 |
# |
23 |
# In the case you use this program under the terms of the GNU AGPL V3, |
24 |
# the program is provided in the hope that it will be useful, |
25 |
# but WITHOUT ANY WARRANTY; without even the implied warranty of |
26 |
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
27 |
# GNU Affero General Public License for more details. |
28 |
# |
29 |
# You should have received a copy of the GNU Affero General Public |
30 |
# License with the Debian GNU/Linux or Univention distribution in file |
31 |
# /usr/share/common-licenses/AGPL-3; if not, see |
32 |
# <http://www.gnu.org/licenses/>. |
33 |
|
34 |
import ldap |
35 |
import socket |
36 |
|
37 |
import univention.uldap |
38 |
import univention.lib.s4 as s4 |
39 |
import univention.config_registry |
40 |
from univention.management.console.modules.diagnostic import Warning |
41 |
|
42 |
from univention.lib.i18n import Translation |
43 |
_ = Translation('univention-management-console-module-diagnostic').translate |
44 |
|
45 |
title = _('Check well known SIDs') |
46 |
description = _('All SIDs exist and names are consistent.') |
47 |
|
48 |
|
49 |
NON_EXISTENT_SIDS = set(('Power Users', 'Creator Group Server', |
50 |
'Creator Owner Server', 'Local', 'Console Logon', 'All Services', |
51 |
'Creator Authority', 'Local Authority', 'NT Authority', |
52 |
'Non-unique Authority', 'Cloneable Domain Controllers')) |
53 |
|
54 |
|
55 |
class CheckError(Exception): |
56 |
def __init__(self, sid, expected_name): |
57 |
self.sid = sid |
58 |
self.expected_name = expected_name |
59 |
|
60 |
|
61 |
class SIDNotFound(CheckError): |
62 |
def __str__(self): |
63 |
msg = _('No user or group with SID {sid} found, expected {expected!r}.') |
64 |
return msg.format(sid=self.sid, expected=self.expected_name) |
65 |
|
66 |
|
67 |
class NameMismatch(CheckError): |
68 |
def __init__(self, sid, expected_name, actual_name): |
69 |
super(NameMismatch, self).__init__(sid, expected_name) |
70 |
self.actual_name = actual_name |
71 |
|
72 |
def __str__(self): |
73 |
msg = _('User or group with SID {sid} has name {actual!r}, but should be {expected!r}.') |
74 |
return msg.format(sid=self.sid, actual=self.actual_name, expected=self.expected_name) |
75 |
|
76 |
|
77 |
class LDAPConnection(object): |
78 |
def __init__(self): |
79 |
self._connection = univention.uldap.getMachineConnection() |
80 |
self._ucr = univention.config_registry.ConfigRegistry() |
81 |
self._ucr.load() |
82 |
|
83 |
def _map_group_name(self, name): |
84 |
if name is None: |
85 |
return name |
86 |
return self._ucr.get('connector/s4/mapping/group/table/{}'.format(name)) or name |
87 |
|
88 |
def search(self, expression, attr=[]): |
89 |
for (dn, attr) in self._connection.search(expression, attr=attr): |
90 |
if dn is not None: |
91 |
yield (dn, attr) |
92 |
|
93 |
def get_domain_sid(self): |
94 |
for (dn, attr) in self.search('(objectClass=sambaDomain)', attr=['sambaSID']): |
95 |
for sid in attr.get('sambaSID'): |
96 |
return sid |
97 |
raise KeyError('domain sid not found') |
98 |
|
99 |
def get_by_sid(self, sid): |
100 |
expression = ldap.filter.filter_format('(sambaSID=%s)', (sid,)) |
101 |
for (dn, attr) in self.search(expression, attr=['cn', 'uid']): |
102 |
for uid in attr.get('uid', []): |
103 |
return uid |
104 |
for cn in attr.get('cn', []): |
105 |
return self._map_group_name(cn) |
106 |
raise KeyError(sid) |
107 |
|
108 |
|
109 |
def all_sids_and_names(domain_sid): |
110 |
for (sid, name) in s4.well_known_sids.iteritems(): |
111 |
if name not in NON_EXISTENT_SIDS: |
112 |
yield (sid, name) |
113 |
|
114 |
for (rid, name) in s4.well_known_domain_rids.iteritems(): |
115 |
if name not in NON_EXISTENT_SIDS: |
116 |
yield ('{}-{}'.format(domain_sid, rid), name) |
117 |
|
118 |
|
119 |
def check_existence_and_consistency(): |
120 |
ldap_connection = LDAPConnection() |
121 |
domain_sid = ldap_connection.get_domain_sid() |
122 |
for (sid, expected_name) in all_sids_and_names(domain_sid): |
123 |
try: |
124 |
actual_name = ldap_connection.get_by_sid(sid) |
125 |
except KeyError as error: |
126 |
yield SIDNotFound(error.message, expected_name) |
127 |
else: |
128 |
if actual_name != expected_name: |
129 |
yield NameMismatch(sid, expected_name, actual_name) |
130 |
|
131 |
|
132 |
def is_service_active(service): |
133 |
lo = univention.uldap.getMachineConnection() |
134 |
raw_filter = '(&(univentionService=%s)(cn=%s))' |
135 |
filter_expr = ldap.filter.filter_format(raw_filter, (service, socket.gethostname())) |
136 |
for (dn, _attr) in lo.search(filter_expr, attr=['cn']): |
137 |
if dn is not None: |
138 |
return True |
139 |
return False |
140 |
|
141 |
|
142 |
def run(): |
143 |
if not is_service_active('S4 Connector'): |
144 |
return |
145 |
|
146 |
check_errors = list(check_existence_and_consistency()) |
147 |
if check_errors: |
148 |
raise Warning(description='\n'.join(str(x) for x in check_errors)) |
149 |
|
150 |
|
151 |
if __name__ == '__main__': |
152 |
from univention.management.console.modules.diagnostic import main |
153 |
main() |
1 |
well_known_sid_check.py (po) |
154 |
well_known_sid_check.py (po) |
2 |
-- |
|
|
3 |
.../umc/python/diagnostic/de.po | 25 ++++++++++++++++++++-- |
155 |
.../umc/python/diagnostic/de.po | 25 ++++++++++++++++++++-- |
4 |
1 file changed, 23 insertions(+), 2 deletions(-) |
156 |
1 file changed, 23 insertions(+), 2 deletions(-) |