infra/samba-pki-tools
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[IMP] Some improvements

Browse Source
This commit is contained in:
Kevin GUERINEAU
2024-05-07 22:02:44 +02:00
parent c42097adbb
commit f14bb52da5
4 changed files with 17 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
common.py
+12 -8
View File
@@ -183,13 +183,12 @@ def create_openssl_config(force=False,verbose=False):
if verbose: if verbose:
subprocess.run(f'openssl x509 -in {TisPKI.root_ca_certfile()} -text', shell=True, check=True, executable='/bin/bash') subprocess.run(f'openssl x509 -in {TisPKI.root_ca_certfile()} -text', shell=True, check=True, executable='/bin/bash')
Printing.information(f'Root CA Certfile is stored in {TisPKI.root_ca_certfile()}') Printing.information(f'Root CA Certfile is stored in {TisPKI.root_ca_certfile()}')
input("Press Enter to continue...")
else: else:
Printing.error('Error on generating Root CA private key') Printing.error('Error on generating Root CA private key')
os.remove(TisPKI.root_ca_keyfile()) os.remove(TisPKI.root_ca_keyfile())
retry = input('If you want to retry, press Y : ') retry = input('If you want to retry, press Y : ')
if retry == "y" or retry == 'Y': if retry == "y" or retry == 'Y':
create_openssl_config() create_openssl_config(force,verbose)
else: else:
Printing.warning('Root CA private key and certificate already exist. Skip.') Printing.warning('Root CA private key and certificate already exist. Skip.')
@@ -266,13 +265,15 @@ def create_openssl_intermediate(name, force=False,verbose=False):
-out {TisPKI.intermediate_ca_certfile(name)}", shell=True, check=True, executable='/bin/bash') -out {TisPKI.intermediate_ca_certfile(name)}", shell=True, check=True, executable='/bin/bash')
if sign_intermediate_ca.returncode == 0: if sign_intermediate_ca.returncode == 0:
if verbose: if verbose:
subprocess.run(f'openssl x509 -in {TisPKI.intermediate_ca_certfile(name)} -text', shell=True, check=True, executable='/bin/bash') subprocess.run(f'openssl x509 -in {TisPKI.intermediate_ca_certfile(name)} -text', shell=True, check=True, executable='/bin/bash')
Printing.success(f'Intermediate CA Certfile is stored in : {TisPKI.intermediate_ca_certfile(name)}') Printing.success(f'Intermediate CA Certfile is stored in : {TisPKI.intermediate_ca_certfile(name)}')
else: else:
Printing.error('Error on generating Intermediate CA private key') Printing.error('Error on generating Intermediate CA private key')
sys.exit(1) os.remove(TisPKI.intermediate_ca_keyfile(name))
retry = input('If you want to retry, press Y : ')
if retry == "y" or retry == 'Y':
create_openssl_intermediate(name, force, verbose)
else: else:
Printing.warning('Intermediate CA private key and certificate already exist. Skip.') Printing.warning('Intermediate CA private key and certificate already exist. Skip.')
@@ -308,16 +309,17 @@ def generate_dc_certificate(dc_name=None, ca_name=None, force=False, verbose=Fal
Printing.error('Unable to find dc_guid') Printing.error('Unable to find dc_guid')
sys.exit(1) sys.exit(1)
else: else:
dc_guid = str(subprocess.check_output(f'/bin/bash get_guid.sh',shell=True).decode("utf-8")).strip() dc_name_guid = dc_name.split('.')[0]
dc_guid = str(subprocess.check_output(f'/bin/bash get_guid.sh {dc_name_guid}',shell=True).decode("utf-8")).strip()
if verbose: if verbose:
Printing.information(f'{dc_name} GUID is : ', str(dc_guid).strip()) Printing.information(f'{dc_name} GUID is : ' + str(dc_guid).strip())
template_dir = ('templates') template_dir = ('templates')
jinja_env = jinja2.Environment(loader=jinja2.FileSystemLoader(template_dir)) jinja_env = jinja2.Environment(loader=jinja2.FileSystemLoader(template_dir))
dc_tmpl = jinja_env.get_template('openssl_server_cert.tmpl') dc_tmpl = jinja_env.get_template('openssl_server_cert.tmpl')
dc_tmpl_var = { dc_tmpl_var = {
'dc_name': f"{dc_name}", 'dc_name': dc_name,
'dc_guid': str(dc_guid), 'dc_guid': str(dc_guid),
'crl_uri': crl_uri, 'crl_uri': crl_uri,
'pki_dir': pki_dir, 'pki_dir': pki_dir,
@@ -328,7 +330,9 @@ def generate_dc_certificate(dc_name=None, ca_name=None, force=False, verbose=Fal
'organization_name': config.get('openssl_config','organization_name'), 'organization_name': config.get('openssl_config','organization_name'),
'organization_ou': config.get('openssl_config','organization_ou'), 'organization_ou': config.get('openssl_config','organization_ou'),
'dc_ca_keyfile': dc_ca_keyfile, 'dc_ca_keyfile': dc_ca_keyfile,
'dc_ca_certfile': dc_ca_certfile 'dc_ca_certfile': dc_ca_certfile,
'commonName': dc_name
} }
config_string = dc_tmpl.render(dc_tmpl_var) config_string = dc_tmpl.render(dc_tmpl_var)
get_guid.sh
+1 -2
View File
@@ -28,8 +28,7 @@ convertToHex() {
realm=$(grep -i realm /etc/samba/smb.conf | awk '{print $3}' | tr '[:upper:]' '[:lower:]') realm=$(grep -i realm /etc/samba/smb.conf | awk '{print $3}' | tr '[:upper:]' '[:lower:]')
dc=$(echo $realm | awk -F '.' '{for(i = 1; i <= NF; i++) {printf ",DC=" $i}}') dc=$(echo $realm | awk -F '.' '{for(i = 1; i <= NF; i++) {printf ",DC=" $i}}')
base="OU=Domain Controllers${dc}" base="OU=Domain Controllers${dc}"
cn=$(hostname -s) cn=$1
#cn=$(srvads2)
GUID=$(ldbsearch -H /var/lib/samba/private/sam.ldb --basedn="$base" "CN=${cn}" objectGUID \ GUID=$(ldbsearch -H /var/lib/samba/private/sam.ldb --basedn="$base" "CN=${cn}" objectGUID \
| grep '^objectGUID:' \ | grep '^objectGUID:' \
| awk '{print $2}' \ | awk '{print $2}' \
manage_pki.py
+3 -1
View File
@@ -22,7 +22,7 @@ def main():
create_group = parser.add_argument_group('Create options') create_group = parser.add_argument_group('Create options')
create_group.add_argument('--initialize', dest="initialize", action="store_true", help="Create PKI") create_group.add_argument('--initialize', dest="initialize", action="store_true", help="Create PKI")
create_group.add_argument('--full-initialize', dest="full-initialize", action="store_true", help="Create Root CA, intermediate CA and DC certificate. Use --name and --dc-name") create_group.add_argument('--full-initialize', dest="full_initialize", action="store_true", help="Create Root CA, intermediate CA and DC certificate. Use --name and --dc-name")
create_group.add_argument('--create-intermediate', dest="create_intermediate", action="store_true", help="Create an intermediate CA. Specify name with --name option.") create_group.add_argument('--create-intermediate', dest="create_intermediate", action="store_true", help="Create an intermediate CA. Specify name with --name option.")
create_group.add_argument('--create-dc-cert', dest="create_dc_cert", action="store_true", help="Create a certificat for a Domain Controler") create_group.add_argument('--create-dc-cert', dest="create_dc_cert", action="store_true", help="Create a certificat for a Domain Controler")
@@ -69,7 +69,9 @@ def main():
print('Add --dc-name or --name with this command') print('Add --dc-name or --name with this command')
else: else:
create_openssl_config(force=args.force,verbose=args.verbose) create_openssl_config(force=args.force,verbose=args.verbose)
input("Press Enter to continue...")
create_openssl_intermediate(args.intermediate_name,args.force,args.verbose) create_openssl_intermediate(args.intermediate_name,args.force,args.verbose)
input("Press Enter to continue...")
generate_dc_certificate(dc_name=args.dc_name, ca_name=args.intermediate_name, force=args.force, verbose=args.verbose) generate_dc_certificate(dc_name=args.dc_name, ca_name=args.intermediate_name, force=args.force, verbose=args.verbose)
templates/openssl_server_cert.tmpl
+1
View File
@@ -81,6 +81,7 @@ organizationalUnitName_default = {{ organization_unit }}
commonName = Common Name (eg, Your Name or server name) commonName = Common Name (eg, Your Name or server name)
commonName_max = 64 commonName_max = 64
commonName_default = {{ commonName }}
emailAddress = Email Address emailAddress = Email Address
emailAddress_max = 64 emailAddress_max = 64