samba-tool: Check specified domain and realm against our own

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Mar 28 03:11:51 UTC 2022 on sn-devel-184

python/samba/netcmd/common.py

@@ -20,6 +20,7 @@
 import re
 from samba.dcerpc import nbt
 from samba.net import Net
+from samba.netcmd import CommandError
 import ldb
 
 
@@ -27,26 +28,44 @@ import ldb
 NEVER_TIMESTAMP = int(-0x8000000000000000)
 
 
-def _get_user_realm_domain(user):
+def _get_user_realm_domain(user, sam=None):
     r""" get the realm or the domain and the base user
         from user like:
         * username
         * DOMAIN\username
         * username@REALM
+
+         A SamDB object can also be passed in to check
+        our domain or realm against the obtained ones.
     """
     baseuser = user
-    realm = ""
-    domain = ""
     m = re.match(r"(\w+)\\(\w+$)", user)
     if m:
         domain = m.group(1)
         baseuser = m.group(2)
-        return (baseuser.lower(), realm, domain.upper())
+
+        if sam is not None:
+            our_domain = sam.domain_netbios_name()
+            if domain.lower() != our_domain.lower():
+                raise CommandError(f"Given domain '{domain}' does not match "
+                                   f"our domain '{our_domain}'!")
+
+        return (baseuser.lower(), "", domain.upper())
+
+    realm = ""
     m = re.match(r"(\w+)@(\w+)", user)
     if m:
         baseuser = m.group(1)
         realm = m.group(2)
-    return (baseuser.lower(), realm.upper(), domain)
+
+        if sam is not None:
+            our_realm = sam.domain_dns_name()
+            our_realm_initial = our_realm.split('.', 1)[0]
+            if realm.lower() != our_realm_initial.lower():
+                raise CommandError(f"Given realm '{realm}' does not match our "
+                                   f"realm '{our_realm}'!")
+
+    return (baseuser.lower(), realm.upper(), "")
 
 
 def netcmd_dnsname(lp):

python/samba/netcmd/delegation.py

@@ -150,7 +150,8 @@ class cmd_delegation_show(Command):
                     credentials=creds, lp=lp)
         # TODO once I understand how, use the domain info to naildown
         # to the correct domain
-        (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname)
+        (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname,
+                                                                 sam)
 
         res = sam.search(expression="sAMAccountName=%s" %
                          ldb.binary_encode(cleanedaccount),
@@ -227,7 +228,8 @@ class cmd_delegation_for_any_service(Command):
                     credentials=creds, lp=lp)
         # TODO once I understand how, use the domain info to naildown
         # to the correct domain
-        (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname)
+        (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname,
+                                                                 sam)
 
         search_filter = "sAMAccountName=%s" % ldb.binary_encode(cleanedaccount)
         flag = dsdb.UF_TRUSTED_FOR_DELEGATION
@@ -280,7 +282,8 @@ class cmd_delegation_for_any_protocol(Command):
                     credentials=creds, lp=lp)
         # TODO once I understand how, use the domain info to naildown
         # to the correct domain
-        (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname)
+        (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname,
+                                                                 sam)
 
         search_filter = "sAMAccountName=%s" % ldb.binary_encode(cleanedaccount)
         flag = dsdb.UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
@@ -325,7 +328,8 @@ class cmd_delegation_add_service(Command):
                     credentials=creds, lp=lp)
         # TODO once I understand how, use the domain info to naildown
         # to the correct domain
-        (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname)
+        (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname,
+                                                                 sam)
 
         res = sam.search(expression="sAMAccountName=%s" %
                          ldb.binary_encode(cleanedaccount),
@@ -379,7 +383,8 @@ class cmd_delegation_del_service(Command):
                     credentials=creds, lp=lp)
         # TODO once I understand how, use the domain info to naildown
         # to the correct domain
-        (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname)
+        (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname,
+                                                                 sam)
 
         res = sam.search(expression="sAMAccountName=%s" %
                          ldb.binary_encode(cleanedaccount),
@@ -433,7 +438,7 @@ class cmd_delegation_add_principal(Command):
                     credentials=creds, lp=lp)
         # TODO once I understand how, use the domain info to naildown
         # to the correct domain
-        cleanedaccount, _, _ = _get_user_realm_domain(accountname)
+        cleanedaccount, _, _ = _get_user_realm_domain(accountname, sam)
 
         account_res = sam.search(
             expression="sAMAccountName=%s" %
@@ -476,7 +481,7 @@ class cmd_delegation_add_principal(Command):
 
         # TODO once I understand how, use the domain info to naildown
         # to the correct domain
-        cleanedprinc, _, _ = _get_user_realm_domain(principal)
+        cleanedprinc, _, _ = _get_user_realm_domain(principal, sam)
 
         princ_res = sam.search(expression="sAMAccountName=%s" %
                                ldb.binary_encode(cleanedprinc),
@@ -576,7 +581,7 @@ class cmd_delegation_del_principal(Command):
                     credentials=creds, lp=lp)
         # TODO once I understand how, use the domain info to naildown
         # to the correct domain
-        cleanedaccount, _, _ = _get_user_realm_domain(accountname)
+        cleanedaccount, _, _ = _get_user_realm_domain(accountname, sam)
 
         account_res = sam.search(
             expression="sAMAccountName=%s" %
@@ -611,8 +616,7 @@ class cmd_delegation_del_principal(Command):
 
         # TODO once I understand how, use the domain info to naildown
         # to the correct domain
-        cleanedprinc, _, _ = _get_user_realm_domain(
-            principal)
+        cleanedprinc, _, _ = _get_user_realm_domain(principal, sam)
 
         princ_res = sam.search(expression="sAMAccountName=%s" %
                                ldb.binary_encode(cleanedprinc),

python/samba/netcmd/spn.py

@@ -56,7 +56,7 @@ class cmd_spn_list(Command):
                     credentials=creds, lp=lp)
         # TODO once I understand how, use the domain info to naildown
         # to the correct domain
-        (cleaneduser, realm, domain) = _get_user_realm_domain(user)
+        (cleaneduser, realm, domain) = _get_user_realm_domain(user, sam)
         self.outf.write(cleaneduser + "\n")
         res = sam.search(
             expression="samaccountname=%s" % ldb.binary_encode(cleaneduser),
@@ -107,7 +107,7 @@ class cmd_spn_add(Command):
             raise CommandError("Service principal %s already"
                                " affected to another user" % name)
 
-        (cleaneduser, realm, domain) = _get_user_realm_domain(user)
+        (cleaneduser, realm, domain) = _get_user_realm_domain(user, sam)
         res = sam.search(
             expression="samaccountname=%s" % ldb.binary_encode(cleaneduser),
             scope=ldb.SCOPE_SUBTREE, attrs=["servicePrincipalName"])