From 41b252a5b47f57919bf98c41947d5927ed0d5aaf Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Tue, 19 Aug 2014 16:21:21 +0300 Subject: [PATCH] ipaserver/dcerpc.py: make PDC discovery more robust Certain operations against AD domain controller can only be done if its FSMO role is primary domain controller. We need to use writable DC and PDC when creating trust and updating name suffix routing information. https://fedorahosted.org/freeipa/ticket/4479 Reviewed-By: Sumit Bose --- ipaserver/dcerpc.py | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index b11476a262ccce4315131b9ffbd93b625de940e7..78bfc5dbefc778519c5db0ac12d6551710257ba9 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -706,16 +706,19 @@ class TrustDomainInstance(object): binding_template=lambda x,y,z: u'%s:%s[%s]' % (x, y, z) return [binding_template(t, remote_host, o) for t in transports for o in options] - def retrieve_anonymously(self, remote_host, discover_srv=False): + def retrieve_anonymously(self, remote_host, discover_srv=False, search_pdc=False): """ When retrieving DC information anonymously, we can't get SID of the domain """ netrc = net.Net(creds=self.creds, lp=self.parm) + flags = nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS | nbt.NBT_SERVER_WRITABLE + if search_pdc: + flags = flags | nbt.NBT_SERVER_PDC try: if discover_srv: - result = netrc.finddc(domain=remote_host, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS) + result = netrc.finddc(domain=remote_host, flags=flags) else: - result = netrc.finddc(address=remote_host, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS) + result = netrc.finddc(address=remote_host, flags=flags) except RuntimeError, e: raise assess_dcerpc_exception(message=str(e)) @@ -726,6 +729,7 @@ class TrustDomainInstance(object): self.info['dns_forest'] = unicode(result.forest) self.info['guid'] = unicode(result.domain_uuid) self.info['dc'] = unicode(result.pdc_dns_name) + self.info['is_pdc'] = (result.server_type & nbt.NBT_SERVER_PDC) != 0 # Netlogon response doesn't contain SID of the domain. # We need to do rootDSE search with LDAP_SERVER_EXTENDED_DN_OID control to reveal the SID @@ -774,6 +778,13 @@ class TrustDomainInstance(object): self.info['sid'] = unicode(result.sid) self.info['dc'] = remote_host + try: + result = self._pipe.QueryInfoPolicy2(self._policy_handle, lsa.LSA_POLICY_INFO_ROLE) + except RuntimeError, (num, message): + raise assess_dcerpc_exception(num=num, message=message) + + self.info['is_pdc'] = (result.role == lsa.LSA_ROLE_PRIMARY) + def generate_auth(self, trustdom_secret): def arcfour_encrypt(key, data): c = RC4.RC4(key) @@ -1069,9 +1080,9 @@ class TrustDomainJoins(object): rd.creds.set_anonymous() rd.creds.set_workstation(self.local_domain.hostname) if realm_server is None: - rd.retrieve_anonymously(realm, discover_srv=True) + rd.retrieve_anonymously(realm, discover_srv=True, search_pdc=True) else: - rd.retrieve_anonymously(realm_server, discover_srv=False) + rd.retrieve_anonymously(realm_server, discover_srv=False, search_pdc=True) rd.read_only = True if realm_admin and realm_passwd: if 'name' in rd.info: -- 1.9.3