- 

#!/usr/bin/python2.7

# coding: utf-8

#

# Univention Management Console module:

#  System Diagnosis UMC module

#

# Copyright 2017 Univention GmbH

#

# http://www.univention.de/

#

# All rights reserved.

#

# The source code of this program is made available

# under the terms of the GNU Affero General Public License version 3

# (GNU AGPL V3) as published by the Free Software Foundation.

#

# Binary versions of this program provided by Univention to you as

# well as other copyrighted, protected or trademarked materials like

# Logos, graphics, fonts, specific documentations and configurations,

# cryptographic keys etc. are subject to a license agreement between

# you and Univention and not subject to the GNU AGPL V3.

#

# In the case you use this program under the terms of the GNU AGPL V3,

# the program is provided in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU Affero General Public License for more details.

#

# You should have received a copy of the GNU Affero General Public

# License with the Debian GNU/Linux or Univention distribution in file

# /usr/share/common-licenses/AGPL-3; if not, see

# <http://www.gnu.org/licenses/>.

import subprocess

import univention.config_registry

from univention.management.console.modules.diagnostic import Critical

from univention.lib.i18n import Translation

_ = Translation('univention-management-console-module-diagnostic').translate

title = _('Check for Kerberos-authenticated DNS Updates')

description = _('The check for updating DNS-Records with Kerberos Authentication was successful.')

def run():

	config_registry = univention.config_registry.ConfigRegistry()

	config_registry.load()

	pwdpath = config_registry.get("umc/module/diagnostic/umc_password")

	hostname = config_registry.get("umc/module/diagnostic/umc_user")

	domainname = config_registry.get("domainname")

	kerberos_realm = config_registry.get("kerberos/realm")

	process = subprocess.Popen(['testparm', '-sv'], stdout=subprocess.PIPE,

		stderr=subprocess.STDOUT)

	stdout, stderr = process.communicate()

	samba_server_role = utils.get_string_between_strings(stdout, "server role = ", "\n")

	if not samba_server_role == "active directory domain controller":

		return

	kinit = ['kinit', '--password-file=%s' % (pwdpath), '%s@%s' % (hostname, kerberos_realm)]

	process = subprocess.Popen(kinit, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)

	if process.returncode:

		description = _('Kinit with machine account failed')

		raise Critical('\n'.join([

			description,

			"Returncode of process: %s" % (process.returncode)

		]))

	stdout, stderr = process.communicate()

	nsupdate_process = subprocess.Popen(['nsupdate', '-g'],

		stdout=subprocess.PIPE, stdin=subprocess.PIPE, stderr=subprocess.STDOUT)

	nsupdate_process.stdin.write('prereq yxdomain %s\nsend\nquit\n' % (domainname))

	stdout, stderr = nsupdate_process.communicate()

	if nsupdate_process.returncode != 0:

		description = _('nsupdate -g failed')

		raise Critical('\n'.join([

			description,

			"Returncode of process: %s" % (nsupdate_process.returncode),

			"stdout: %s" % (stdout),

			"stderr: %s" % (stderr)

		]))

if __name__ == '__main__':

	from univention.management.console.modules.diagnostic import main

	main()

title = _('Check for Kerberos-authenticated DNS Updates')

title = _('Check kerberos authenticated DNS updates')

description = _('The check for updating DNS-Records with Kerberos Authentication was successful.')

description = _('No errors occured.')

class UpdateError(Exception):

	pass

class KinitError(UpdateError):

	def __init__(self, principal, keytab, password_file):

		super(KinitError, self).__init__(principal, keytab, password_file)

		self.principal = principal

		self.keytab = keytab

		self.password_file = password_file

	def __str__(self):

		if self.keytab:

			msg = _('`kinit` for principal {princ} with keytab {tab} failed.')

		else:

			msg = _('`kinit` for principal {princ} with password file {file} failed.')

		return msg.format(princ=self.principal, tab=self.keytab, file=self.password_file)

class NSUpdateError(UpdateError):

	def __init__(self, hostname, domainname):

		super(NSUpdateError, self).__init__(hostname, domainname)

		self.hostname = hostname

		self.domainname = domainname

	def __str__(self):

		msg = _('`nsupdate` existence check for domain {domain} failed.')

		return msg.format(domain=self.domainname)

@contextlib.contextmanager

def kinit(principal, keytab=None, password_file=None):

	auth = '--keytab={tab}' if keytab else '--password-file={file}'

	cmd = ('kinit', auth.format(tab=keytab, file=password_file), principal)

	try:

		subprocess.check_call(cmd)

	except subprocess.CalledProcessError:

		raise KinitError(principal, keytab, password_file)

	else:

		yield

		subprocess.call(('kdestroy',))

def nsupdate(hostname, domainname):

	process = subprocess.Popen(('nsupdate', '-g'), stdin=subprocess.PIPE,

		stdout=subprocess.PIPE, stderr=subprocess.STDOUT)

	cmd = 'server {host}.{domain}\nprereq yxdomain {domain}\n'

	_ = process.communicate(cmd.format(host=hostname, domain=domainname))

	if process.poll() != 0:

		raise NSUpdateError(hostname, domainname)

def check_dns_machine_principal(hostname, domainname):

	with kinit('{}$'.format(hostname), password_file='/etc/machine.secret'):

		nsupdate(hostname, domainname)

def check_dns_server_principal(hostname, domainname):

	with kinit('dns-{}'.format(hostname), keytab='/var/lib/samba/private/dns.keytab'):

		nsupdate(hostname, domainname)

def check_nsupdate(hostname, domainname, is_dc=False):

	try:

		check_dns_machine_principal(hostname, domainname)

	except UpdateError as error:

		yield error

	if is_dc:

		try:

			check_dns_server_principal(hostname, domainname)

		except UpdateError as error:

			yield error

	pwdpath = config_registry.get("umc/module/diagnostic/umc_password")

	hostname = config_registry.get('hostname')

	hostname = config_registry.get("umc/module/diagnostic/umc_user")

	domainname = config_registry.get('domainname')

	domainname = config_registry.get("domainname")

	is_dc = config_registry.get('samba4/role') == 'DC'

	kerberos_realm = config_registry.get("kerberos/realm")

	process = subprocess.Popen(['testparm', '-sv'], stdout=subprocess.PIPE,

	problems = list(check_nsupdate(hostname, domainname, is_dc))

		stderr=subprocess.STDOUT)

	if problems:

	stdout, stderr = process.communicate()

		ed = [_('Errors occured while running `kinit` or `nsupdate`.')]

	samba_server_role = utils.get_string_between_strings(stdout, "server role = ", "\n")

		ed.extend(str(error) for error in problems)

		raise Critical(description='\n'.join(ed))

	if not samba_server_role == "active directory domain controller":

		return

	kinit = ['kinit', '--password-file=%s' % (pwdpath), '%s@%s' % (hostname, kerberos_realm)]

	process = subprocess.Popen(kinit, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)

	if process.returncode:

		description = _('Kinit with machine account failed')

		raise Critical('\n'.join([

			description,

			"Returncode of process: %s" % (process.returncode)

		]))

	stdout, stderr = process.communicate()

	nsupdate_process = subprocess.Popen(['nsupdate', '-g'],

		stdout=subprocess.PIPE, stdin=subprocess.PIPE, stderr=subprocess.STDOUT)

	nsupdate_process.stdin.write('prereq yxdomain %s\nsend\nquit\n' % (domainname))

	stdout, stderr = nsupdate_process.communicate()

	if nsupdate_process.returncode != 0:

		description = _('nsupdate -g failed')

		raise Critical('\n'.join([

			description,

			"Returncode of process: %s" % (nsupdate_process.returncode),

			"stdout: %s" % (stdout),

			"stderr: %s" % (stderr)

		]))

"Report-Msgid-Bugs-To: packages@univention.de\n"

"Report-Msgid-Bugs-To: \n"

"POT-Creation-Date: 2016-01-14 12:19+0100\n"

"POT-Creation-Date: 2017-06-29 16:36+0200\n"