sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-25 17:57:42 +03:00
Code

gpo: Certificate Auto Enrollment default Kerberos auth

Browse Source 
Certificate Auto Enrollment uses Kerberos to
authenticate to AD. If someone configures their
cepces.conf to use a different default
authentication, then samba-gpupdate fails. Force
Kerberos auth from samba-gpupdate.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
This commit is contained in:
David Mulder 2022-04-04 10:33:15 -06:00 committed by Jeremy Allison
parent a543d38cd1
commit 157d2dd77f
2 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
python/samba/gp_cert_auto_enroll_ext.py
View File

@ -82,8 +82,8 @@ def get_supported_templates(server):
if os.path.exists(cepces_submit):
env = os.environ
env['CERTMONGER_OPERATION'] = 'GET-SUPPORTED-TEMPLATES'
p = Popen([cepces_submit, '--server=%s' % server], env=env,
stdout=PIPE, stderr=PIPE)
p = Popen([cepces_submit, '--server=%s' % server, '--auth=Kerberos'],
env=env, stdout=PIPE, stderr=PIPE)
out, err = p.communicate()
if p.returncode != 0:
log.warn('Failed to fetch the list of supported templates.')
@ -136,7 +136,8 @@ def cert_enroll(ca, trust_dir, private_dir):
cepces_submit = find_cepces_submit()
if getcert is not None and os.path.exists(cepces_submit):
p = Popen([getcert, 'add-ca', '-c', ca['cn'][0], '-e',
'%s --server=%s' % (cepces_submit, ca['dNSHostName'][0])],
'%s --server=%s --auth=Kerberos' % (cepces_submit,
ca['dNSHostName'][0])],
stdout=PIPE, stderr=PIPE)
out, err = p.communicate()
log.debug(out.decode())

2
python/samba/tests/bin/cepces-submit
View File

@ -7,9 +7,11 @@ sys.path.insert(0, "bin/python")
if __name__ == "__main__":
parser = optparse.OptionParser('cepces-submit [options]')
parser.add_option('--server')
parser.add_option('--auth')
(opts, args) = parser.parse_args()
assert opts.server is not None
assert opts.auth == 'Kerberos'
if 'CERTMONGER_OPERATION' in os.environ and \
os.environ['CERTMONGER_OPERATION'] == 'GET-SUPPORTED-TEMPLATES':
print('Machine') # Report a Machine template